A study commissioned by Coverity Inc - "The Software Security Risk Report” - reveals the details of application security incidents experienced by North American and European web app development companies in the last 18 months.
The figures from the report show that 51% of the respondents had at least one incident in the past one and a half year. 18% of these firms reported losses of over $500,000 (400,000 EUR), while 8% claim to have lost twice as much. In a few situations, the affected organizations lost over $10 million (8 million EUR).
Respondents said business demands and code volumes forced them to put security to the side. Over 70% of them state that they don’t have funds and the right technology in order to address security issues.
Furthermore, the numbers reveal that 41% blame time-to-market pressure for not being able to push security into development.
It appears that secure development practices aren’t employed by too many web app creators. Only 42% follow secure coding guidelines and only around a quarter use threat modeling or a library of approved and banned functions.
Code auditing before integration testing is performed by less than half of the interviewed companies and only 17% of them verify their products during development.
“It's clear that security practitioners and developers aren't speaking the same language when it comes to application security, and this is leading to very costly consequences for companies,” Jennifer Johnson, VP of marketing at Coverity, explained.
“Application security begins and ends with development. Developers need to be part of the solution but the industry won't solve the problem until security is incorporated into the development process with technologies and processes that developers can understand and adopt. Force-feeding development with legacy tools built for security teams just isn't working.”