Corporate Cultural Issues Hold Back Secure Software Development

An anonymous reader shares a report: As the digital economy expands and software becomes more critical, security worries grow. In a new survey, 74 percent of respondents agree that security threats due to software and code issues are a growing concern. The study of over 1,200 IT leaders, conducted by analysts Freeform Dynamics for software company CA Technologies, finds 58 percent of respondents cite existing culture and lack of skills as hurdles to being able to embed security within processes. In addition, only 24 percent strongly agree that their organization's culture and practices support collaboration across development, operations and security. On top of cultural limitations, less than a quarter of respondents strongly agree that senior management understands the importance of not sacrificing security for time-to-market success.

Security company funds "study", finds problems

[enjar]

In other news, Microsoft finds that adopting Windows will work best for your company, Monsanto funds a study to say their crops are the sure way to make money as a farmer, Ford funds a study that says they make the best cars and trucks, Coca-Cola funds a study that finds their products are the most liked, etc.

I don't disagree that security is a problem, I just have a fair bit of skepticism that a study funded by Computer Associates, takeover-and-neglect artists of the software world, is really going to get to the root issues that make integrating security into software development processes without a fair helping of "we can send an army of consultants to help you for a fee, in addition to licensing some software we acquired and will resell/license to you at a pretty large markup".

Re:Time-to-market is critical

[geekmux]

Security issues can be patched later on. If you are beaten to market, in many cases you might as well send everyone home and close up shop. Launching ahead of the competition and establishing a beachhead is the single most important thing with any product and everything else is #2. I understand that many engineers don't understand this, but they are not paid or trained to think this way. That doesn't make it any less true.

The problem with ignoring the priority of security is often times the priority of safety is dismissed as well. When that happens, innocent people die.

And when Greed N. Corruption essentially never gets punished for immoral, unethical, or even illegal activity, don't expect the environment to get any more secure or safe.

Several things holding back secure software

[zifn4b]

1) Corporate Cultural issues aka employee engagement - seriously if upper management is toxic and plays psychological games, who is going to give a shit about your software on any level let alone security?
2) Lack of software engineers with appropriate level of skill, education and experience. But you know it's because we can't find qualified candidates aka ones that are unicorns that will take minimum wage as compensation.
3) Companies that don't take security and risk seriously because hey why do we need to take this seriously now? We didn't take it seriously 20-30 years ago and now you're asking me to spend more money than I used to on "best practice"? You're just trying to trick me into giving away my precious money on things we really don't need like all those RAD tools I've been pitched over the years...

I could go on ad nauseum here but the TL;DR is: if you treat your employees like expendable pieces of shit that can supposedly be replaced by interns and contractors and tell them they should be thankful for it, your software is going to be shit on every level not just security.

Re:Several things holding back secure software

[apoc.famine]

I think 3 is more insidious than you give it credit for. "We didn't take it seriously 20-30 years ago and now you're asking me to spend more money than I used to on "best practice"?"

There is a perverse logic to, "It's never bitten us in the ass before, why should we start worrying now?" That's doubly so when success before was predicated on not giving a shit about security, and beating someone else to the market who did.

This works very, very well, up until the point it doesn't. The problem is that the data points build up supporting this flawed logic every time it's a successful gamble.

And then, what if it's not a gamble? Looking at Windows, it's spent 20+ years as a multi-billion dollar making piece of swiss cheese. From a manager's standpoint, it's hard to point at that sort of success and say, "We should have held back some versions another 6 months to a year and fixed some of the bugs."

It's not a corporate culture issue as much as it is a dollars and sense argument. If an early flawed release is going to make you more dollars than a later secure one, it makes sense to release your software early, holes and all. Over time, this may become corporate culture, but I'd argue that once it stopped making financial sense that most companies would revisit this habit.

Re:Welcome to DevOps...

[zifn4b]

I have seen this myself. I had a DevOps job (which I leaped from, to a far better place) where the Scrum master (who had the power to recommend terminations, and managers rubberstamped them) where the dev team was always in a sprint

And then one day management and the scrum master awoke on a bright cheery morning. Sun shining bright, birds chirping. What a glorious morning! They got their Starbucks coffee, kissed their wives and kids and drove into work with cheerful positive music and thinking very highly of themselves and how fortunate their company was to have them. For without them, the company wouldn't be able to function. The scrum master skips through the door, smile on their face and spring in their step and goes into the empty meeting room where the daily stand up is supposed to be. 5-10 minutes pass after the stand up was supposed to start and there was still no one there but the Scrum Master. Why could this be? Where is everyone? They must be late! Those lazy no good slackers! And then it dawned on the Scrum Master, I fired everybody because they didn't meet my ridiculous expectations and I can't write a line of code to save my life. Without anyone to scapegoat the problem onto, because they were all fired, the Scrum Master panicked, chaos ensued, angry customers called the CEO and eventually the business closed its doors and faded into history as another failed startup.

Re:Time-to-market is critical

[HornWumpus]

Ignoring your ego jerking...You assert that time to market doesn't matter?

The right answer is both security and time to market matter, ignore either and your pretty much guaranteed to fail. Which is a more difficult discussion than just saying 'you're the problem'.

And of course the rubber hits the road when security breaches happen. Management sees the lack of consequences and manages based on history. Putting a music major in charge of a major corps IT security should reduce the stocks value to zero. That is the bottom line.

Bottom Line

[jmccue]

Corporate Bottom Line Hold Back Secure Software Development

FTFY

Re:Welcome to DevOps...

[Junta]

Hyperbole aside, this isn't new to 'DevOps', though I will admit that in some circles it blesses the thought process.

For as long as humans have been doing things, processes in bad groups devolve to this sort of blind and mad grasping at 'productivity', and devolving into spending more time fretting about the process of seeing if work is being done than actually doing the work. Each fad promising to 'correct' the ratio of overhead of the previous fad, either never realizing or intentionally ignoring the reality that people are the problem and will pervert any methodology that purports to fix it.

Meanwhile, good teams operating within good larger organizations will succeed with whatever project management/development fad they nominally use.

This is easy to solve.

[Gravis+Zero]

Just tie the pay of the managers to security. If there are security issues then the managers start losing money. Problem solved!