Vulnerabilities / Threats

1/22/2018
06:10 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Secure Software Development Requires a New Mindset: Study

Global study identifies existing organizational culture as a key hurdle for companies to overcome in order to thrive in the digital economy.

NEW YORK, Jan. 22, 2017 – CA Technologies (NASDAQ:CA) today revealed results following the second phase of a global survey of more than 1,200 IT leaders around the topic of secure software development. Conducted by IT industry analyst firm Freeform Dynamics, the new report entitled, “Integrating Security into the DNA of Your Software Lifecycle,” highlights the influence of an organization’s culture on its ability to integrate security practices into their software development initiatives, a practice and approach commonly known as DevSecOps.

Today’s digital economy is fueled by software. When software is developed with security integrated from the start, the risk of data breaches is greatly diminished, providing users with heightened levels of confidence and trust when engaging with applications and services that are so ubiquitous in our online world.

According to survey respondents, the majority confirmed that software development supports growth and expansion, helps businesses compete and drives digital transformation. And yet, the findings show that, as software becomes more critical to business success in the digital economy, security concerns are exponentially on the rise. In fact, 74% of respondents agreed that security threats due to software and code issues is a growing concern. CA Veracode’s State of Software Security Report 2017found that vulnerabilities continue to crop up in previously untested software at alarming rates, with 77% of apps having at least one vulnerability on initial scan.

Creating a culture of secure software development is a major challenge, according to the survey findings. An overwhelming 58% of respondents cited existing culture and lack of skills as hurdles to being able to embed security testing and evaluation within software development processes. Only 24% strongly agreed that the organization’s culture and practices supported collaboration across development, operations and security. On top of cultural limitations, less than a quarter of respondents strongly agreed that senior management would sacrifice time to market in order to have sufficient time to assess and repair software security vulnerabilities.

“Security is a key principle in any Modern Software Factory. While our survey findings confirm an overarching recognition in the importance of ensuring that data and systems are built and maintained securely, there is still a lack of cultural adoption within organizations around this pressing issue,” said Ayman Sayed, president and chief product officer, CA Technologies. “When coupled with security, Intelligent IT – the use of AI, machine learning and analytics to make better, more informed decisions – can dramatically change the way that business is done.”

The report showcases characteristics of “Software Security Masters” (the top 34% of respondents), which are organizations that have been able to fully integrate security into their software development lifecycles. This includes conducting early and continuous application testing for security vulnerabilities, as well as embracing the practice of DevSecOps.

In fact, when compared with the mainstream, respondents from the Software Security Masters were over two times more likely to strongly agree that they viewed security as an enabler of new business opportunities. These organizations also exhibited the following attributes:

● 50% higher profit growth

● 40% higher revenue growth

● Are 2.6x more likely to have security testing keep up with frequent app updates

● Are 2.5x more likely to be outpacing their competitors

“The organizations labeled as Software Security Masters are the beacons of hope in today’s digital economy. Not only do they exemplify and represent the cultural mindset necessary to adapt and thrive in today’s dynamic market, they are influencing change within the industry while shaping the workplace of the future,” concluded Sayed.

Survey Methodology

The global online survey of 1,279 senior IT and business executives was sponsored by CA Technologies and conducted by industry analyst firm Freeform Dynamics in July 2017. It was augmented by in-depth telephone interviews with key industry executives. For full survey methodology details, please see the report, “Integrating Security into the DNA of Your Software Lifecycle.”

Download the full report and other supporting materials:

● Report: Integrating Security into the DNA of Your Software Lifecycle

Infographic

● Blog: The Competitive Edge of DevSecOps by Ayman Sayed

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8903
PUBLISHED: 2019-02-18
index.js in Total.js Platform before 3.2.3 allows path traversal.
CVE-2019-6453
PUBLISHED: 2019-02-18
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).
CVE-2019-8372
PUBLISHED: 2019-02-18
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link an...
CVE-2019-8902
PUBLISHED: 2019-02-18
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.
CVE-2019-8423
PUBLISHED: 2019-02-18
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.