Global Study Highlights Existing Organisational Culture as a Key Hurdle to Embed Security Throughout the Software Development Lifecycle
CA Technologies has revealed the results of a global study of more than 1,200 IT leaders, including 466 across six countries in Europe, on the topic of secure software development. Conducted by IT industry analyst firm Freeform Dynamics, the new report entitled, “Integrating Security into the DNA of Your Software Lifecycle,” highlights the influence of culture on the ability of UK organisations to integrate security practices as part of the software development lifecycle – a practice critical to business success in the digital economy.
In the study, 94% of UK respondents confirm that software development supports growth and expansion, and 86% say it drives digital transformation. The findings also reveal that 65% agree that security threats arising from software development issues are a growing concern. However, half (51%) of UK organisations cite “existing culture” as a key barrier to embedding security within processes, and only 16% strongly agree the organisation’s culture and practices support collaboration across development, operations and security – the lowest figure in Europe. Against this backdrop, CA Veracode’s State of Software Security Report 2017indicates that vulnerabilities continue to crop up in previously untested software at alarming rates, with organisations globally reporting that 77% of apps have at least one vulnerability on initial scan.
“Security is a key principle in any Modern Software Factory. While our study confirms an overarching recognition of the importance of building and maintaining applications securely, the culture within UK organisations still needs to be modified to improve collaboration between IT teams, and get faster feedback from the real world on vulnerabilities and how to tackle them quickly,” says Stephen Walsh, Sr Director, Security, CA Technologies. “Building security into every step of application delivery with DevSecOps, together with advanced technologies like machine learning and behavioural analytics, can significantly drive better business outcomes and ultimately, change the way business is conducted.”
Security needs to be embedded into development
The research highlights that a majority of UK organisations recognise that rapidly changing business and regulatory demands require organisations to modify how security is managed in their software development processes. In particular, it reveals that the traditional approach of testing security at the end of the development process is no longer sufficient: 91% of UK organisations believe it is essential or important to make security a more embedded part of the software development process, not tagged on, often hurriedly, at the end. Some 70% also agree/strongly agree that it is critical to integrate security practices earlier in the software development cycle – in other words adopt DevSecOps. This compares with 88% of respondents in France and 79% in Spain.
In reality though, only 30% of UK organisations have already made security an integral part of DevOps (i.e. implementing DevSecOps), compared with 44% in France and a Europe-wide average of 28%. Moreover, just 26% have already implemented early and continuous testing of apps for security vulnerabilities, compared with 38% in Italy.
Lack of skills and time impede security – but automation is imminent
In addition to existing organisational culture being identified as a key hurdle to secure software development, some 52% of UK organisations agree that a lack of skills also prevents them from making security integral to the entire software development process – from application requirements assessment through design to delivery – while 71% cite time pressures. The immense challenges associated with these processes make the use of automation tools essential as few, if any, organisations have the skilled human resources or time available to tackle such complex, urgent challenges.
Two emerging technologies with automation at the core – behavioural analytics and machine learning – can help address the skills gap and time issues while improving security. According to the study, 83% of UK organisations see both of these advanced technologies as key to providing a better user experience while still protecting user data (compared with 94% of Spanish organisations and 92% of Italian ones). This is fundamental to taking pre-emptive action to avoid a data breach and/or mitigate the impact of one, and essential to authenticating controls based on what a user is doing and what is known about them. In fact, 77% of organisations are now using analytics, machine learning and artificial intelligence to enrich insights into customer needs and behaviours (6% more than the European average), while 78% are increasing automation across the software development lifecycle.
Software Security Masters show the way forward in Europe
The report showcases characteristics of “Software Security Masters” (the top 32% of EMEA respondents) which are organisations that have been able to fully integrate security fully into the software development life cycle. This includes conducting early and continuous application testing for security vulnerabilities as well as embracing the practice of DevSecOps.
At a pan-European level, when compared with the mainstream, 1.7x more Software Security Masters strongly agree that in addition to protecting a company’s data and systems, they viewed security as an enabler of new business opportunities, and exhibited the following attributes:
- 50% higher profit growth
- 40% higher revenue growth
- Are 2.4x more likely to have security testing keep up with frequent app updates
- Are 1.9x more likely to be outpacing their competitors
“Organisations that are Software Security Masters not only show a strong correlation between embedding security in the DNA of software development and achieving strong top and bottom line performance, they also exemplify the mindset and skills needed to succeed in the digital economy and are agents of change as they shape the organisational culture that’s so key to creating the workplace of the future,” concluded Walsh. “Not every organisation is at the stage of being a Software Security Master, but employing a strategy of continuous security can accelerate the move to becoming a master, thereby improving time to market and enhancing the organisation’s ability to compete and grow.”