Corporate Cultural Issues Hold Back Secure Software Development

An anonymous reader shares a report: As the digital economy expands and software becomes more critical, security worries grow. In a new survey, 74 percent of respondents agree that security threats due to software and code issues are a growing concern. The study of over 1,200 IT leaders, conducted by analysts Freeform Dynamics for software company CA Technologies, finds 58 percent of respondents cite existing culture and lack of skills as hurdles to being able to embed security within processes. In addition, only 24 percent strongly agree that their organization's culture and practices support collaboration across development, operations and security. On top of cultural limitations, less than a quarter of respondents strongly agree that senior management understands the importance of not sacrificing security for time-to-market success.

Security company funds "study", finds problems

[enjar]

In other news, Microsoft finds that adopting Windows will work best for your company, Monsanto funds a study to say their crops are the sure way to make money as a farmer, Ford funds a study that says they make the best cars and trucks, Coca-Cola funds a study that finds their products are the most liked, etc.

I don't disagree that security is a problem, I just have a fair bit of skepticism that a study funded by Computer Associates, takeover-and-neglect artists of the software world, is really going to get to the root issues that make integrating security into software development processes without a fair helping of "we can send an army of consultants to help you for a fee, in addition to licensing some software we acquired and will resell/license to you at a pretty large markup".

Re:Time-to-market is critical

[geekmux]

Security issues can be patched later on. If you are beaten to market, in many cases you might as well send everyone home and close up shop. Launching ahead of the competition and establishing a beachhead is the single most important thing with any product and everything else is #2. I understand that many engineers don't understand this, but they are not paid or trained to think this way. That doesn't make it any less true.

The problem with ignoring the priority of security is often times the priority of safety is dismissed as well. When that happens, innocent people die.

And when Greed N. Corruption essentially never gets punished for immoral, unethical, or even illegal activity, don't expect the environment to get any more secure or safe.

Several things holding back secure software

[zifn4b]

1) Corporate Cultural issues aka employee engagement - seriously if upper management is toxic and plays psychological games, who is going to give a shit about your software on any level let alone security?
2) Lack of software engineers with appropriate level of skill, education and experience. But you know it's because we can't find qualified candidates aka ones that are unicorns that will take minimum wage as compensation.
3) Companies that don't take security and risk seriously because hey why do we need to take this seriously now? We didn't take it seriously 20-30 years ago and now you're asking me to spend more money than I used to on "best practice"? You're just trying to trick me into giving away my precious money on things we really don't need like all those RAD tools I've been pitched over the years...

I could go on ad nauseum here but the TL;DR is: if you treat your employees like expendable pieces of shit that can supposedly be replaced by interns and contractors and tell them they should be thankful for it, your software is going to be shit on every level not just security.

Bottom Line

[jmccue]

Corporate Bottom Line Hold Back Secure Software Development

FTFY

This is easy to solve.

[Gravis+Zero]

Just tie the pay of the managers to security. If there are security issues then the managers start losing money. Problem solved!