It seems it takes a publicly disclosed data breach for firms to spend more on data security in the application development phase -- than those that haven't suffered such a breach. At least, that's the finding of a new survey (PDF) conducted by the Open Web Application Security Project, ran by the OWASP Foundation.
I guess it's human nature to only want to cut back on the salt and red meat -- after one has been diagnosed with hypertension. Or take vitamins and drink more fresh juice after being sick.
And that's reflected in the findings of this survey, of about 50 companies: enterprises that were publically breached spend more to develop secure code than those that have not been breached. Or, at least those that weren't required, by the threat of a big regulatory hammer, to publicly disclose the breach.
This shows than any evangelists within organizations fighting to improve the security of applications before they're shipped, or deployed, are fighting an uphill battle against human nature. That is: why fix or focus on something that isn't broken, or causing problems today?
Problem is this: more often than not, software is shipped, or sent onto production Web servers, when it's broken. And by broken, I mean loose enough to enable someone sitting in a café in Kazakhstan to pwn the app, and then most probably the server.
The challenge is people can't see broken, or shoddily written software. At least not if it runs without crashing (too often), they can't see the holes (buffer overflows, etc.) that make the application a sieve to attack.
The good news in the survey is that 61 percent of those surveyed report that they have independent third-parties review their Web application code before it goes to production.
That percentage, based on my own reporting and interviews, strikes me as way high. But it is a survey of only about 50 companies.
In any event, it's good news. And shows some steps in the right direction. With the daily grind of data breaches and software vulnerability announcements -- I'll take it.