May 10, 2011, 12:51 PM — Those looking for good news when it comes to healthy software development hygiene are going to be soundly disappointed by today's news.
In a study conducted by Forrester Consulting, commissioned by software security firm Coverity, 336 people involved in software development in North America and Europe were surveyed on their current practices when it came to managing software quality, security and safety.
The takeaway: not everyone is brushing their teeth, nor eating their five figurative servings of fruits and vegetables every day.
According to the study, the Software Integrity Risk Report, while most companies outsource software code development from third parties, that code is not tested for quality, safety and security to the same degree as their in-house developed software.
The study found significant disparities between how internally developed code is tested, when compared to code developed by third parties. First, only 44% of companies conduct automated code testing during development for third party code. However, 69% use automated code testing for internally developed software.
Second, only 35% of companies conduct risk, security or vulnerabilities assessments for third party code, compared to 70% of companies deploying these methods on their internally developed software.
"Software security and integrity is probably the most challenging problem to solve in security today," says Pete Lindstrom, research director at Spire Security. "But the reality is that the tools used to analyze software code have a high signal to noise ratio and are not easy to use."
Beyond the expected security vulnerabilities that are a byproduct of poor development practices, about 65% of companies reported that customer satisfaction is also impacted by software defects, while 47% said the same time-to-market is also hurt by software defects.
While most everyone acknowledges software quality is one of the most pressing security concerns today, no one expects a quick fix any time soon. "While it borders on negligent to ignore software quality, the reality is that the tools available today are difficult to use and provide undependable results," says Lindstrom.
George V. Hulme writes about security and technology from his home in Minneapolis. He is so concerned about software vulnerabilities, every time his browser crashes he wonders if it's an APT. Fortunately, he doesn't use firewalls on Twitter, where he can be found at @georgevhulme.