Report: Corporate Software Security Not Taken Seriously

According to a report by Creative Intellect Consulting, 59 percent of enterprise application departments are not following quality and security processes "rigorously" when developing new software.

The U.K.-based research and consulting firm's study, titled "State of Secure Application Lifecycle Management," surveyed over 170 IT professionals on the state of their enterprises' secure software code delivery and lifecycle management procedures. The firm found that only 48 percent of respondent's security procedures were acceptable.

"Given the heightened awareness and focus on security in the last few years, it is surprising to see so few [organizations] embedding security tightly into the software delivery process," wrote Bob Rotibi, founder of Creative Intellect Consulting, in a press release. "It is as much a lack of process as it is insecure code."

The study found that over a quarter of respondents fall into the "lack of process" category. 26 percent surveyed said that not only do they not follow secure development processes, but their organizations do not evaluate and test security software before purchasing.

When asked why procedures were either lacking or non existent, respondents pointed to the lack of investment and little support from management as the two main factors in their enterprises' security holes.

Giving some insight into why this was the report stated that "Businesses do not do what management doesn't support. Too often management view investment in securing the software delivery process as a cost that they don't, necessarily, see a related profit from."

However, the margin in profit in securing business software and applications comes in the form of decreased losses. A press release discussing the survey pointed to a recently released U.K. government report that said U.K. companies lose £27 billion (about $43.8 billion in U.S. dollars) a year to security application breaches. Creative Intellect Consulting discussed that upfront development and design processes, along with timely deployment, will help to lower these costs.

Education is the key factor in improving security protocols -- from informing managers on the importance of updating to giving IT teams resources to properly implement procedures. More than 57 percent of survey respondents pointed to the fact that the lack of education and training hurt in the delivery of secure software. 70 percent also felt a lack of guidance in security procedures concerning new tech issues (cloud, virtualization, mainframes and mobile devices).

Pointing to the only positive finding from the survey, Creative Intellect Consulting said that "some good progress has been made with encouraging support for key process practices that can both strengthen and promote the delivery of secure software."

About the Author

Chris Paoli is the site producer for and


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.