How can organisation’s secure software development?
A global study from CA Technologies highlights existing organisational culture as a key hurdle in embedding security throughout the software development cycle. A change of culture is required to integrate effective security measures into software developments – a practice critical to business success in the digital economy.
In the study, 93% of European respondents confirmed that software development supports growth and expansion, and 87% said it drives digital transformation. The findings also revealed that 71% agreed that security threats arising from software development issues are a growing concern.
However, 60% of European organisations cited “existing culture” as a significant barrier to embedding security within processes, and only 24% strongly agreed the organisation’s culture and practices support collaboration across development, operations and security.
Against this backdrop, CA Technologies report indicated that vulnerabilities continue to crop up in previously untested software at alarming rates, with 77% of apps having at least one vulnerability on initial scan.
“Security is a key principle in any modern software factory. While our study confirms an overarching recognition of the importance of building and maintaining applications securely, the culture within European organisations still needs to be modified to improve collaboration between IT teams, and get faster feedback from the real world on vulnerabilities and how to tackle them quickly,” says Danilo Labovic, vice president, Security, EMEA, CA Technologies.
“Building security into every step of application delivery with DevSecOps and advanced technologies like machine learning and behavioural analytics can significantly drive better business outcomes and ultimately, change the way business is conducted.”
Security needs to be embedded into development
The research highlighted that a majority of organisations have recognised that rapidly changing business and regulatory demands require organisations to modify how security is managed in their software development processes.
>See also: Tackling security with container deployments
In particular, it revealed that the traditional approach of testing security at the end of the development process is no longer sufficient: 91% of European organisations believe it is essential or important to make security a more embedded part of the software development process, not tagged on, often hurriedly, at the end. Some 74% also agree/strongly agree that it is critical to integrate security practices earlier in the software development cycle – in other words adopt DevSecOps.
In reality though, only 28% of European organisations have already made security an integral part of DevOps (i.e. implementing DevSecOps) and just 28% have already implemented early and continuous testing of apps for security vulnerabilities.
Lack of skills and time impede security – but automation is imminent
In addition to existing organisational culture being identified as a key hurdle to secure software development, some 55% of European organisations agree that a lack of skills also prevents them from making security integral to the entire software development process – from application requirements assessment through design to delivery – while 66% cite time pressures.
The immense challenges associated with these processes makes the use of automation tools essential as few, if any, organisations have the skilled human resources or time available to tackle such complex, urgent challenges.
>See also: Open source security challenges in cars
Two emerging technologies with automation at the core – behavioural analytics and machine learning – can help address the skills gap and time issues while improving security.
According to the study, 88% of European organisations see both of these advanced technologies as key to providing a better user experience while still protecting user data, which is fundamental to taking pre-emptive action to avoid a data breach and/or mitigate the impact of one, and essential to authenticating controls based on what a user is doing and what is known about them.
In fact, 71% of organisations are now using analytics, machine learning and artificial intelligence to enrich insights into customer needs and behaviours, while 75% are increasing automation across the software development lifecycle.
Software security masters show the way forward
The report showcases characteristics of “Software Security Masters” (the top 32% of respondents across EMEA) which are organisations that have been able to fully integrate security into the software development life cycle. This includes conducting early and continuous application testing for security vulnerabilities as well as embracing the practice of DevSecOps.
In fact, when compared with the mainstream, 1.7x more software security masters strongly agree that security is an enabler of new business opportunities in addition to protecting a company’s data and systems. In addition, Software Security Masters exhibited the following attributes, as compared with the mainstream:
•50% higher profit growth.
•40% higher revenue growth.
•Are 2.4x more likely to have security testing keep up with frequent app updates.
•Are 1.9x more likely to be outpacing their competitors.
“Organisations that are software security masters not only show a strong correlation between embedding security in the DNA of software development and achieving strong top and bottom line performance, they also exemplify and represent the mindset and skills needed to succeed in the digital economy and are agents of change as they shape the organisational culture that’s so key to creating the workplace of the future,” concluded Labovic.
“Not every organisation is at the stage of being a software security master, but employing a strategy of continuous security can accelerate the move to becoming a master, thereby improving time to market and enhancing the organisation’s ability to compete and grow.”