Posted by John Verry on Tue, Apr 13, 2010 @ 03:38 PM
Thought that Errata Security's recent survey mapped well to what 
we have seen regarding Application Security Practices:
- While 50% of software development companies say "security is 'always' a concern ..." only half of those firms have a formal Systems Development Life Cylce (SDLC) in place.
- Software developers usually wait for a security incident to occur before calling in a security expert. Companies then look to to integrate secure coding practices as a response.
It's very interesting to me that while the vast majority of developers/application owners recognize the importance of security, SDLC's are usually non-existent, do not adequately integrate security, or are not complied with. This would imply that it is a resource constraint: time and/or knowledge.
Time constraints are illusory in that the failure to address security adequately in early solution stages is well understood to ultimately cost more time than it saves.
This infers that it is a knowledge constraint (perhaps exacerbated by a time constraint). This "feels" consistent with what we see during security assessments or during incident response. What may be surprising is that it is often business management's lack of knowledge relating to application security that is most impactful, as they "own" the responsibility to ensure that an SDLC is in place and operating as intended.
We recorded an on-demand webinar around OWASP that addresses this knowledge constraint. Enjoy.
"Leveraging OWASP to Reduce Web App Data Breach Risks"