Developers say application security lacking
- 21 March, 2012 02:47
Are enterprise applications really secure? It depends on whom you ask.
A recent study by the Ponemon Institute of more than 800 IT executives found a striking disconnect between perceptions of security controls between developers and security professionals. Developers largely say applications run by their enterprise are not secure, while security professionals are much more optimistic about the security of their applications.
Seven in 10 developers say security is not adequately addressed in their applications, but only half of security officers believe that. Almost 80% of developers said they have no process, or simply an ad hoc process, for building security controls into their applications. But, only 64% of security personnel said they have no formal process for building security into their enterprise applications.
Ponemon says the disconnect can be costly for businesses: Nearly 68% of developers say their applications have been compromised because of a security breach.
"Gaps in perceptions between security practitioners and developers about application security maturity, readiness and accountability indicate why many organizations' critical applications are at risk," the study says. "A lack of collaboration between the security and development teams makes it difficult to make application security part of an enterprise-wide strategy and to address serious threats."
Beyond a lack of collaboration between these two groups, the Ponemon Institute points to a lack of security training, noting that just over half of developers say they have no formal training in application security.
All of this is leading to enterprises that are admittedly not in compliance with security standards. The study found that less than 15% of security officials and developers say their applications meet security regulations for privacy and data protection and information security.
Ponemon recommends that enterprises take a closer look at their application security guidelines and invest in security personnel to specifically track protocols and ensure accountability.
Network World staff writer Brandon Butler covers cloud computing and social media. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.
Read more about anti-malware in Network World's Anti-malware section.