CA Technologies (NASDAQ:CA) has revealed results of a global study of more than 1,200 IT leaders, including 466 across six countries in Europe, on the topic of secure software development. Conducted by IT industry analyst firm Freeform Dynamics, the new report entitled, “Integrating Security into the DNA of Your Software Lifecycle” highlights the influence of an organisation’s culture on its ability to integrate security practices as part of the software development lifecycle – a practice critical to business success in the digital economy.
In the study, 93% of European respondents confirm that software development supports growth and expansion, and 87% say it drives digital transformation. The findings also reveal that 71% agree that security threats arising from software development issues are a growing concern. However, 60% of European organisations cite “existing culture” as a significant barrier to embedding security within processes, and only 24% strongly agree the organisation’s culture and practices support collaboration across development, operations and security. Against this backdrop, CA Veracode’s State of Software Security Report 2017 indicates that vulnerabilities continue to crop up in previously untested software at alarming rates, with 77% of apps having at least one vulnerability on initial scan.
“Security is a key principle in any Modern Software Factory. While our study confirms an overarching recognition of the importance of building and maintaining applications securely, the culture within European organisations still needs to be modified to improve collaboration between IT teams, and get faster feedback from the real world on vulnerabilities and how to tackle them quickly,” says Danilo Labovic, Vice President, Security, EMEA, CA Technologies. “Building security into every step of application delivery with DevSecOps and advanced technologies like machine learning and behavioural analytics can significantly drive better business outcomes and ultimately, change the way business is conducted.”
Security needs to be embedded into development
The research highlights that a majority of organisations recognise that rapidly changing business and regulatory demands require organisations to modify how security is managed in their software development processes. In particular, it reveals that the traditional approach of testing security at the end of the development process is no longer sufficient: 91% of European organisations believe it is essential or important to make security a more embedded part of the software development process, not tagged on, often hurriedly, at the end. Some 74% also agree/strongly agree that it is critical to integrate security practices earlier in the software development cycle – in other words adopt DevSecOps.
In reality though, only 28% of European organisations have already made security an integral part of DevOps (i.e. implementing DevSecOps) and just 28% have already implemented early and continuous testing of apps for security vulnerabilities.
Lack of skills and time impede security – but automation is imminent
In addition to existing organisational culture being identified as a key hurdle to secure software development, some 55% of European organisations agree that a lack of skills also prevents them from making security integral to the entire software development process – from application requirements assessment through design to delivery – while 66% cite time pressures. The immense challenges associated with these processes makes the use of automation tools essential as few, if any, organisations have the skilled human resources or time available to tackle such complex, urgent challenges.
Two emerging technologies with automation at the core – behavioural analytics and machine learning – can help address the skills gap and time issues while improving security. According to the study, 88% of European organisations see both of these advanced technologies as key to providing a better user experience while still protecting user data, which is fundamental to taking pre-emptive action to avoid a data breach and/or mitigate the impact of one, and essential to authenticating controls based on what a user is doing and what is known about them. In fact, 71% of organisations are now using analytics, machine learning and artificial intelligence to enrich insights into customer needs and behaviours, while 75% are increasing automation across the software development lifecycle.
Software Security Masters show the way forward
The report showcases characteristics of “Software Security Masters” (the top 32% of respondents across EMEA) which are organisations that have been able to fully integrate security into the software development life cycle. This includes conducting early and continuous application testing for security vulnerabilities as well as embracing the practice of DevSecOps. In fact, when compared with the mainstream, 1.7x more Software Security Masters strongly agree that security is an enabler of new business opportunities in addition to protecting a company’s data and systems. In addition, Software Security Masters exhibited the following attributes, as compared with the mainstream:
- 50% higher profit growth
- 40% higher revenue growth
- Are 2.4x more likely to have security testing keep up with frequent app updates
- Are 1.9x more likely to be outpacing their competitors
“Organisations that are Software Security Masters not only show a strong correlation between embedding security in the DNA of software development and achieving strong top and bottom line performance, they also exemplify and represent the mindset and skills needed to succeed in the digital economy and are agents of change as they shape the organisational culture that’s so key to creating the workplace of the future,” concluded Labovic. “Not every organisation is at the stage of being a Software Security Master, but employing a strategy of continuous security can accelerate the move to becoming a master, thereby improving time to market and enhancing the organisation’s ability to compete and grow.”
The global online survey of 1,279 senior IT and business executives was sponsored by CA Technologies and conducted by industry analyst firm Freeform Dynamics in July 2017. It included 466 respondents from six European countries: France, Germany, Italy, Spain, Switzerland and the UK. The research was augmented by in-depth telephone interviews with key industry executives. For full survey methodology details, please see the report, “Integrating Security into the DNA of Your Software Lifecycle.”
Download the full report and other supporting materials: