Why is this happening?
"The security industry is overly-focused on testing and scanning for known vulnerabilities in software after it's been released, and under-focused on poor software development practices that lead to vulnerable applications that hackers can exploit" says Frank Zinghini, CEO of Applied Visions, Inc., a software development company providing solutions in cyber security, business applications, and command and control systems to government and commercial customers worldwide. "Application security has to be part of the early stages of the SDLC (software development lifecycle); not tacked on at the end when finding and fixing the vulnerabilities is far more costly" adds Zinghini.
Is there a remedy?
In a recent CIO Journal, published by the Wall Street Journal, James Kaplan, a partner at McKinsey & Co. and co-author of "Beyond Cybersecurity: Protecting Your Digital Business" said "A far better model (for software development) would be if you were teaching your developers how to write secure code, were including security architects in the development process from day one of the project, and investing in tools for secure development. Then you have many fewer flaws at the end of the process." He added "Most developers have not been trained on secure coding practices."
Are corporations planning to beef up their application security?
More than half of respondents to a SANS Institute survey expect spending on application security programs to increase over the next year (more than a quarter expect spending to increase significantly), and only 3 percent expect to spend less.
Do startups stand a better chance?
Bessemer Venture Partners (BVP) - one of the most well respected tech industry venture capital firms - authored a white paper that states application software development is the most critical business function in the early days of most startups today. The paper states "the most important feature of secure development is written and periodic in-person (security) training by your senior developers".. and "the second basic feature of secure development is source code analysis - the automated discovery of vulnerabilities." Arguably startups stand a better chance to get it right since they are not burdened with legacy applications the way most large corporations are.
Who can help?
Application testing and security is big business, and there are many vendors and service providers specializing in the field.
According to market researcher ReportsnReports, North America is the largest market for security testing services. Markets and Markets expects this market alone to grow from $2.47 billion in 2014 to $4.96 billion by 2019, at an estimated Compound Annual Growth Rate (CAGR) of 14.9 percent from 2014 to 2019.
Sign up for Computerworld eNewsletters.