Companies are paying closer attention to secure software development to reduce shoddy code, which often results in gaping holes that expose sensitive information, according to a new survey conducted by the OWASP Foundation.
"One thing that cuts across all the statistics is a growing approach toward secure coding," Gelbord said of the survey.
It's OWASP's first survey on secure software development budgets. Gelbord said the organization is trying to measure spending habits and over time gauge whether companies are placing an emphasis on building applications with more secure software code. The goal of the project is to establish an industry accepted benchmark for justifying overall Web application security spending, Gelbord said.
About half of the respondents consider security experience as at least somewhat important in hiring new developers. The figure is a positive sign that companies are trying to place a greater emphasis on secure software development, Gelbord said. The majority of those surveyed also said they provide software security training both internally and externally.
Spending on Web application development is expected to be flat or rise slightly during the economic downturn. But the survey results were somewhat inconclusive. The survey found that Web application security represents 10% of security spending in 36% of the companies surveyed. Another 33% of firms surveyed did not know what portion of security spending is on Web applications.
There is little historical data around measuring spending on software development, Gelbord said. Software development processes haven't been mature enough to measure, he said.
"There's been a network centric focus on security spending and the software development process hadn't matured enough to establish a consensus on spending," Gelbord said.
Regulatory compliance is driving the bulk of the spending, the survey found. Respondents also said it was a factor in the increasing amount of Web application firewalls deployed to protect some Web applications. Nearly half of those surveyed said they had such firewalls deployed. Still, over a third of organizations do not use Web application firewalls at all to monitor or defend applications.
"We're in a period of pro regulatory trends right now and that's going to drive security spending," he said. "An area reinforced by the survey is that companies are motivated to spend on security to achieve compliance and mitigate risk and not as a means to gain competitive advantage."support your business in the years ahead," Wood said.