Article

More companies seek third-party Web app code review, survey finds

Robert Westervelt, News Editor

Companies are paying closer attention to secure software development to reduce shoddy code, which often results in gaping holes that expose sensitive information, according to a new survey conducted by the OWASP Foundation.

The OWASP Security Spending Benchmark Report

Requires Free Membership to View

surveyed about 50 organizations to determine their spending on secure coding; OWASP found that 61% of those surveyed had an independent third-party security review of software code to find flaws before Web applications are used live. The percentage surprised Boaz Gelbord, executive director of information security at Wireless Generation Inc., who organized the report with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc. Gelbord said the predominant thinking has been that companies are conducting code review in-house if they're doing it at all.

"One thing that cuts across all the statistics is a growing approach toward secure coding," Gelbord said of the survey.

It's OWASP's first survey on secure software development budgets. Gelbord said the organization is trying to measure spending habits and over time gauge whether companies are placing an emphasis on building applications with more secure software code. The goal of the project is to establish an industry accepted benchmark for justifying overall Web application security spending, Gelbord said.

About half of the respondents consider security experience as at least somewhat important in hiring new developers. The figure is a positive sign that companies are trying to place a greater emphasis on secure software development, Gelbord said. The majority of those surveyed also said they provide software security training both internally and externally.

Spending on Web application development is expected to be flat or rise slightly during the economic downturn. But the survey results were somewhat inconclusive. The survey found that Web application security represents 10% of security spending in 36% of the companies surveyed. Another 33% of firms surveyed did not know what portion of security spending is on Web applications.

There is little historical data around measuring spending on software development, Gelbord said. Software development processes haven't been mature enough to measure, he said.

"There's been a network centric focus on security spending and the software development process hadn't matured enough to establish a consensus on spending," Gelbord said.

Regulatory compliance is driving the bulk of the spending, the survey found. Respondents also said it was a factor in the increasing amount of Web application firewalls deployed to protect some Web applications. Nearly half of those surveyed said they had such firewalls deployed. Still, over a third of organizations do not use Web application firewalls at all to monitor or defend applications.

"We're in a period of pro regulatory trends right now and that's going to drive security spending," he said. "An area reinforced by the survey is that companies are motivated to spend on security to achieve compliance and mitigate risk and not as a means to gain competitive advantage."support your business in the years ahead," Wood said.