Most companies skimp on third-party code checks, study finds

By George V. Hulme, CSO |  Security, code check

Those looking for good news when it comes to healthy software development hygiene are going to be soundly disappointed by today's news.

In a study conducted by Forrester Consulting, commissioned by software security firm Coverity, 336 people involved in software development in North America and Europe were surveyed on their current practices when it came to managing software quality, security and safety.

The takeaway: not everyone is brushing their teeth, nor eating their five figurative servings of fruits and vegetables every day.

According to the study, the Software Integrity Risk Report, while most companies outsource software code development from third parties, that code is not tested for quality, safety and security to the same degree as their in-house developed software.

Also see: A new hope for software security?

The study found significant disparities between how internally developed code is tested, when compared to code developed by third parties. First, only 44% of companies conduct automated code testing during development for third party code. However, 69% use automated code testing for internally developed software.

Second, only 35% of companies conduct risk, security or vulnerabilities assessments for third party code, compared to 70% of companies deploying these methods on their internally developed software.

"Software security and integrity is probably the most challenging problem to solve in security today," says Pete Lindstrom, research director at Spire Security. "But the reality is that the tools used to analyze software code have a high signal to noise ratio and are not easy to use."

Beyond the expected security vulnerabilities that are a byproduct of poor development practices, about 65% of companies reported that customer satisfaction is also impacted by software defects, while 47% said the same time-to-market is also hurt by software defects.

While most everyone acknowledges software quality is one of the most pressing security concerns today, no one expects a quick fix any time soon. "While it borders on negligent to ignore software quality, the reality is that the tools available today are difficult to use and provide undependable results," says Lindstrom.

George V. Hulme writes about security and technology from his home in Minneapolis. He is so concerned about software vulnerabilities, every time his browser crashes he wonders if it's an APT. Fortunately, he doesn't use firewalls on Twitter, where he can be found at @georgevhulme.

Originally published on CSO |  Click here to read the original story.
Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question