Differences between EU and US attitudes to application security detailed in new report

Europe is comparable to the United States but showing differences in attitude when it comes to application and software security.

With the release of the Building Security in Maturity Model for Europe (BSIMM Europe) following a similar survey in the US, creators Fortify Software and Cigital have the industry's first-ever set of benchmarks for developing and growing an enterprise-wide software security program to the European market.

Common themes emerged from the collected data on software security activities for strategy and metrics, including: training, standards and requirements, security testing and code review.

It found that in general, the European approach to software security has many activities in common with US initiatives as European software security approaches place more emphasis on process than the US counterparts do, and also emphasise privacy to a greater extent.

The report also observed eleven activities that all European firms practice, including publishing a process, identifying gates, creating secure coding standards and identifying PII obligations.

Cigital CTO Dr Gary McGraw, said: “We studied nine large firms and looked at the approach to software security, or application security, and compared the results to an earlier version in the US. There has been a lot of conjecture about European companies in software security, but we found that it was just as advanced as software security is a new field.

“Using BSIMM, an organisation can determine where its software security initiative stands, figure out how to evolve its initiative strategically, or even get a brand new initiative off the ground. BSIMM is a tool for identifying realistic business goals and implementing those technical software security activities that make the most sense for an organisation.”

Co-author David Harper, said: “There is a greater focus on compliance in Europe while the US focuses on code review. So this is a key finding, there is a greater focus on procedure and less on testing in the EU. With the companies we studied, we also found that the other difference is on privacy.”

“The Europeans have privacy regulation and are driving process, a question you may ask is who wrote this and where is it? Every company is aiming to do things right, and they have to focus on software security properly. It is very exciting to see software security as a phenomenon,” said McGraw.

Sign up to our newsletters