Executives say yes, security professionals fighting off all forms of attacks, say no way.
Business leaders and their IT groups disagree when it comes to the success and effectiveness of internal secure coding practices, according to a new study by the Ponemon Institute commissioned by application security vendor Security Innovation.
“The big surprise is the difference between senior [executives] and the rank-and-file” on whether enterprises are employing true secure application development lifecycles, said Larry Ponemon, chief executive and founder of The Ponemon Group. “The rank-and-file [view] is a better indicator of reality.”
In what Ponemon Group’s report calls “a serious and potentially dangerous misalignment,” 75 percent of executives surveyed for the report believe their organizations have “defined, secure architecture standards” in their programming. In contrast, 23 percent of technicians agree or strongly agree with that statement.
The same differences are apparent it comes to whether enterprises are measuring application developers for compliance with those standards, the report said.
Training is also a bit murky. While 71 percent of execs believe their internal training and education programs are up to date and in line with the latest threats, app security policies, and best practices, only 19 percent of the technical staff agrees.
“I view the executives as blissfully ignorant [rather than their] having a rosier picture,” said Ed Adams, chief executive of Security Innovations. “I’m a security guy, so I’m naturally more skeptical.”
The education and training issue is especially disconcerting. “They want them to write secure code, yet you’ve got this disillusionment at the executive level, who owns the budget,” Adams said. “It’s needed, it’s wanted, but it’s not getting delivered because of this perception gap.”
According to the report, the perception problem is likely due to “poor communication and collaboration” among the players in application development and security.
Even so, overall, there are some upward trends in enterprise secure app development. Of the organizations surveyed, 42 percent said they defined their application security requirements. “That’s a good sign,” Adams said. “That number was dramatically lower in 2008.”
And 43 percent of enterprises said they employ automated scanning tools during development of software and after its release. “That alone is a very positive statement,” Adams said.
Other findings show most enterprises don’t identify or measure app security risks, and most are only taking basic steps in application security.
Click here to register for the full report.