Investing in security software is one of the wisest decisions business leaders can make, given the rampant growth in hacking and data theft over the past few years. But new research shows a significant portion of purchased security-related software is simply going to waste. Armed with this knowledge, every developer should establish a secure development process — or risk taking the blame when a client fails to adequately protect its software.
A new study from Osterman Research examines the overall state of security software and how well it's being implemented. The results of the study, as summarized by SC Magazine, show that for every $115 a business spends per given user on security software, $33 is going to waste. This lack of utilization can include everything from improper utilization and underuse, to never even installing the software after it's purchased.
The research mentions several reasons software is going to waste. As SC Magazine states, "35 percent of the survey respondents credited the lack of software usage to an IT team being 'too busy to implement the software solution properly,' and 33 percent said IT 'did not have enough resources to implement properly.'"
The problem may be rooted in the continued separation between security, operations and management. In many organizations, both IT and operations are siloed, making it difficult for teams to integrate and for security to have the tools they need to get the job done. Additionally, management may be purchasing security software to "check a box," ignoring the fact that buying security software is pointless if it isn't properly configured and installed.
Most software companies should have a firm understanding of the importance of a robust security solution, in which case they should be able to avoid many of the issues presented in the research. However, these businesses face an additional challenge in a world of wasted security software: If the companies to which they sell their software — or the divisions of their own company for which they provide software — get hacked due to a lack of security, those entities are likely to at least try to blame the software vendor, even if their own lack of security was the root cause.
This is why it's more important than ever for software developers to create a secure development process, ensuring robust application-layer security is built into software at the earliest stages of its lifecycle. This process not only keeps security on the minds of developers as they code, but it also provides a series of comprehensive tests designed to strengthen security throughout the process and identify potential issues while they're still economical to correct.
Adopting this kind of secure development can be a difficult task for enterprises that don't have robust security teams in place, but turning to a dedicated security vendor is a feasible option. These businesses have the depth of experience to know how best to integrate security in the earliest stages of the development process, and they are constantly updating their solutions as the threat landscape changes. As the threats included in lists such as the OWASP Top 10 or CWE/SANS Top 25 change, enterprises need a security solution that will change as well.
When a security vendor utilizes the power of the cloud, its solution becomes that much more robust. Then it can be built with one set of applications in mind, helping to develop an enterprise-specific testing regimen that includes SAST and DAST testing, and which can be expanded via the cloud to the rest of that enterprise. This not only makes it more likely the solution will be utilized in large enterprises, where thousands of apps may be being developed, but it will also enable the vendor to fine-tune the solution before it is widely rolled out.
The sad fact is many modern businesses are investing in security without understanding what it takes to truly be secure. With technology becoming steadily more entrenched in all businesses, it's up to software developers to ensure their applications are secure and their customers are as safe as possible. Patching problems after the fact is simply no longer good enough. Developers have to understand the overall state of business security and take steps to ensure they are producing applications capable of withstanding modern attack vectors.