More than half of IT managers fail to follow key security and quality processes ‘rigorously'.
Research by (ISC)2, the International Association of Software Architects (IASA) and consultancy Creative Intellect of more than 170 professionals globally found that 59 per cent of respondents are not following key security and quality processes rigorously, while 26 per cent have little or no secure software development processes. This is despite many respondents carrying out reviews of their development and delivery processes.
When asked what was preventing respondents from improving security across the software delivery lifecycle, lack of management support and investment were cited by nearly two-thirds of respondents as the key reason. Of those surveyed, 69 per cent claimed not having the right culture, attitude and mindset were to blame, while the same number said not having appropriate processes was the culprit.
Commenting on the ‘state of secure application lifecycle management' study, Bola Rotibi, founder of Creative Intellect Consulting, said it was surprising to see so few organisations embedding security tightly into the software delivery process.
“We would like to see organisations taking a multi-faceted approach to tackling the software security challenge. Secure by design and practice should be the call to action adopted by organisations to address the software security challenge more directly,” he said.
John Colley, managing director EMEA at (ISC)2, said: “This report highlights significant gaps on following key security and quality processes required to develop and deliver secure systems and software.
“It appears that there is a significant failure to assess the risks associated with not recognising the need for tight controls to deliver secure systems and software. Even though the industry seems to have recognised the significance of following a change control process, lack of management support and investment for improving security across the software development lifecycle is preventing it from following the rigorous discipline required to deliver secure systems and software.”