App Security Worries CISOs, but Most Fail to Adopt Secure Development

A survey on security workforce trends finds that security professionals' top worry are bugs in applications, but that concern is not translating into secure development practices.

security worries

Application vulnerabilities and malware continue to top security professionals' list of worries, but the concerns have not translated into adopting secure development practices, a step shown to improve application security and catch software bugs earlier.

Seventy-two percent of the nearly 14,000 chief information security officers (CISOs) and other security professionals surveyed indicated that application vulnerabilities were a top concern, according to the biennial Global Information Security Workforce Study published by the International Information Systems Security Certification Consortium (ISC)2. Yet, only 24 percent of security practitioners say their companies always scan for bugs during the code development process, with another 46 percent sometimes searching for bugs during development.

The difference between security professionals' concerns and corporate practices underscores the importance of teaching companies to value secure development, said David Shearer, executive director of (ISC)2.

"The bottom line is there is a tension between delivery [of software] and keeping a schedule, and doing that extra work required to build application security in at the coding stage—there is a tension there," he said.

The (ISC)2 Global Information Security Workforce Study, prepared by Frost & Sullivan, predicts that a drastic shortage in cyber-security professionals will have a significant impact on a variety of information security functions. The 2015 survey found that 62 percent of respondents felt their companies do not have enough information security professionals, an increase over the 56 percent who felt a shortfall in the 2013 study.

A key problem for security professionals is managing application vulnerabilities, with 72 percent considering it a top security concern. Scanning for application vulnerabilities, either through static analysis or dynamic testing, is a primary way to find application vulnerabilities, but 30 percent of companies never scanned for vulnerabilities during code development, according to the survey.

The desire to scan applications predictably jumped after a data breach or intrusion had been discovered by the company—58 percent of companies scanned all their applications following a security incident, compared with 24 percent that scanned applications consistently during code development.

Because of the tension between getting software developed quickly and taking the time to securely design the product and eliminate possible security bugs, most companies will continue to use application scanning only after software is put into production or following a breach, Shearer said. Until application security requirements are made part of the contract between provider and customer, the trend will likely continue.

"It is not until consumers can vote with their feet and their wallets and start looking for companies that put a priority on security will we see changes," Shearer said. "Once we can drive the marketplace to appreciate and understand security, then maybe—through competition—things will change."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...