Report: Corporate Software Security Not Taken Seriously

According to a report by Creative Intellect Consulting, 59 percent of enterprise application departments are not following quality and security processes "rigorously" when developing new software.

The U.K.-based research and consulting firm's study, titled "State of Secure Application Lifecycle Management," surveyed over 170 IT professionals on the state of their enterprises' secure software code delivery and lifecycle management procedures. The firm found that only 48 percent of respondent's security procedures were acceptable.

"Given the heightened awareness and focus on security in the last few years, it is surprising to see so few [organizations] embedding security tightly into the software delivery process," wrote Bob Rotibi, founder of Creative Intellect Consulting, in a press release. "It is as much a lack of process as it is insecure code."

The study found that over a quarter of respondents fall into the "lack of process" category. 26 percent surveyed said that not only do they not follow secure development processes, but their organizations do not evaluate and test security software before purchasing.

When asked why procedures were either lacking or non existent, respondents pointed to the lack of investment and little support from management as the two main factors in their enterprises' security holes.

Giving some insight into why this was the report stated that "Businesses do not do what management doesn't support. Too often management view investment in securing the software delivery process as a cost that they don't, necessarily, see a related profit from."

However, the margin in profit in securing business software and applications comes in the form of decreased losses. A press release discussing the survey pointed to a recently released U.K. government report that said U.K. companies lose £27 billion (about $43.8 billion in U.S. dollars) a year to security application breaches. Creative Intellect Consulting discussed that upfront development and design processes, along with timely deployment, will help to lower these costs.

Education is the key factor in improving security protocols -- from informing managers on the importance of updating to giving IT teams resources to properly implement procedures. More than 57 percent of survey respondents pointed to the fact that the lack of education and training hurt in the delivery of secure software. 70 percent also felt a lack of guidance in security procedures concerning new tech issues (cloud, virtualization, mainframes and mobile devices).

Pointing to the only positive finding from the survey, Creative Intellect Consulting said that "some good progress has been made with encouraging support for key process practices that can both strengthen and promote the delivery of secure software."

About the Author

Chris Paoli is the site producer for and


  • Industrial Control System Honeypot Illustrates Bad Security Practices

    Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

  • Ransomware: What It Means for Your Database Servers

    Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.