[ISN] Real-World Developers Still Not Coding Securely

From: InfoSec News <alerts_at_private>
Date: Wed, 19 Sep 2012 02:10:52 -0500 (CDT)
http://www.darkreading.com/vulnerability-management/167901026/security/news/240007576/real-world-developers-still-not-coding-securely.html

By Ericka Chickowski
Contributing Writer
Dark Reading
Sep 18, 2012

The extreme pressure on developers from line-of-business leaders to push 
out new web application feature sets as quickly as possible, combined 
with a lack of security development objectives or actionable security 
guidance, continues to negatively impact web application vulnerability 
levels. A new study out this week based on a survey conducted by 
Forrester Research on behalf of Coverity showed web application 
incidents still remain expensive as a result of these vulnerabilities 
and are costing some organizations hundreds of thousands to millions of 
dollars.

Advocates have long argued for the benefits of embedding secure 
development life cycle (SDLC) principles into coders' day-to-day 
workflow in order to save on costs.

"The industry has been championing over the last couple of years is, if 
you can find software defects whether they're quality issues or they're 
security issues earlier in the cycle, it's going to cost you a lot less 
and take a lot less time to fix them," says Jennifer Johnson, vice 
president of marketing for Coverity.

But unreasonable development time constraints, impractical security 
tools that don't work well within real-world development settings and 
inadequate training on secure coding principles have all conspired 
together the squash the SDLC ethos at most dev shops. According to 
survey results, only 51% of organizations currently have coders conduct 
security testing, and only 40% of organizations report they test during 
development. And just 42% have any kind of secure coding guidelines in 
place within their organizations.

[...]


--
#HITB2012KUL - The 10TH ANNUAL HITB Security Conference in Malaysia
with no keynotes, no labs - just three tracks filled with our most
popular speakers from the last decade: http://conference.hitb.org/
Received on Wed Sep 19 2012 - 00:10:52 PDT

This archive was generated by hypermail 2.2.0 : Wed Sep 19 2012 - 00:10:58 PDT