Implementation of the SDL in Industry: Symantec

I ran across an interesting news release from Symantec the other day. Symantec had a Market Research company do some research into Application Security and how organizations were implementing Application Security into their development processes. The results were interesting, though not very surprising.

The research was done by a company called Applied Research for Symantec. They took a sample of 400 US based Developers. So, right off, this indicates a focus on US organizations. I say this because I've worked with a number of Canadian and European organizations and the focus on security is slightly different depending on different regions. Keep that in mind with regards to the numbers from the Survey.

The encouraging thing that comes out of the Survey was the following:

- 93% thought security was more important today than three years ago
- 74% thought security was an important aspect of the Development process
- 70% said their employers emphasized the importance of application security

But the big numbers that jump out at me were:

- Only 29% said security was ALWAYS a part of their development processes.

That’s huge! In other words, the security processes that are being followed are probably ad hoc and not in structured manner. That being the case, you need to take care to perform due diligence on any software that you are receiving, whether from a Service Provider or from a Vendor, to make sure that the applications are written securely.

Other numbers of importance that came out of the survey were:

- 12% said security had priority over delivery deadlines
- Only 40% have had formal security training
- 1/3 had not yet included security in their QA processes.

So, even if security is considered important, it’s not at the same level of importance as getting a product out the door. I would suggest that arguing about the cost of fixing vulnerabilities in process is probably cheaper than fixing vulnerabilities once the product is out the door. If you change the argument away from Security vs Productivity towards one of cost benefit, you’ll get better results in terms of integrating security into your processes.

Also, I’d much rather see some sort of Application security in place, even if the training isn’t that good than nothing. As the processes evolve, the security level should improve. So training being at 40% is not necessarily a bad thing. Sure it would be nice to have formal training but we’re in an industry that requires we learn as we grow so there’s no reason why you can’t pick up a book and read a better way of doing things.

The last thing I see from the results of the survey is that there is a growing understanding of the importance of the SDL and that there is a need to incorporate security into the development processes. But I also see an inertia to making that change, which is not surprising since change always takes time. And remember that the thought process was always that security was the concern of Infrastructure, not Apps Development. As we see that change, we will see the continued adoption of SDLs into the Apps Development processes and security will become integrated to rather than standing apart from the application development process.

Neil R.

Posted at 11:54 AM  Permalink