New Research From EMA Reveals How Organizations are Struggling to Develop Secure Software Applications
Research shows that over 50% of organizations performing software development struggle with fully integrating security into their software development lifecycle
Boulder, Colo., January 19, 2023 – Enterprise Management Associates (EMA™), a leading IT and data management research and consulting firm, has released a new research report, “Secure Coding Practices – Growing Success or Zero-Day Epidemic?” authored by Christopher M. Steffen, managing research director of security and risk management at EMA, and Ken Buckler, research analyst covering security and risk management at EMA.
From 2015 to 2021, the number of new vulnerabilities per year in the National Vulnerability Database grew from 6,487 to 20,139.* This increase in vulnerabilities may be due to a significant skills gap when it comes to secure software development. In 2019, a review of the top 20 computer science schools found that out of all the schools listed, only one listed security as an undergraduate degree requirement for computer science.** Simply put, software developers are not being taught secure coding practices at colleges and universities, and with a significant number of organizations failing to invest in any secure coding training whatsoever, even some of the most seasoned developers in the industry may have little to no awareness of secure coding concepts.
EMA surveyed 129 professionals across multiple industry verticals, seeking to understand how organizations are tackling the challenge of developing secure software applications. The results revealed that over half of organizations performing software development struggle with fully integrating security into their software development lifecycle (SDLC), and many organizations are failing to make critical investments in enhancing the security knowledge of their development teams.
Some of the key findings include:
- 69.3% of organizations have SDLCs that miss critical security steps. This includes 45.3% of organizations that do not have a dedicated validation step in their security SDLC, 20% of organizations that do not have a dedicated planning step, and 4% that do not have a dedicated implementation step.
- 100% of organizations using a combination of code reviews, code scanning tools, and third-party training saw improvement in their code security.
- Only 75% of organizations not using training saw improvement in their code security.
All too often when it comes to cybersecurity, the human element is the most overlooked component of any system. With lowest adoption rates (54%) and highest code security improvement rates (100%), third-party training appears to be the critical component in which some organizations are failing to invest.
“The human element is the first and last line of defense when it comes to any cybersecurity program,” said Buckler. “The rapidly growing number of software vulnerabilities discovered per year clearly outlines the need for better cybersecurity practices from the ground up. This includes developing secure applications from the start through investing in improving the secure coding practices of the industry’s software development workforce.”
A detailed analysis of the research findings is available in the report, “Secure Coding Practices – Growing Success or Zero-Day Epidemic?”
EMA will reveal highlights from the report during the free February 7th webinar, “Secure Coding Practices – Growing Success or Zero-Day Epidemic?”
Security Journey sponsored this independent research report. Security Journey offers robust application security education tools to help developers and the entire SDLC team recognize and understand vulnerabilities and threats to proactively mitigate these risks.
*CVSS Severity Distribution Over Time, https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time
**Cable, Jack, “Security requirements for computer science degrees.” Aug 22, 2019. https://gist.github.com/cablej/f272747f2d545342aec7f34a1bfae4ef
Founded in 1996, EMA is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help their clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals, and IT vendors at www.enterprisemanagement.com.