Back in January 2015, Osterman Research published a whitepaper, "The Need for Improved Software Quality.” It was a great read, so I wanted to share a few of my favorite “moments” from it, as well as some of my own thoughts.
#1: Fewer than one in five of the organizations surveyed viewed security as the most important criterion when developing custom applications internally or when having custom software developed by third parties.
My thoughts: Software quality and security are still being treated as a low priority. Our business at PSC is offering an MSP turnkey solution to provide software quality and security expertise to our clients. To this day, it amazes even us how reactive organizations are, especially after high-profile events, such as the Target data breach. There is a common misperception of, "That won't happen to us; our products aren't a target of hackers." If your products touch a network and are software-driven, then they are a target. Just this morning the news reported how an airline passenger hacked into the jet engines midflight through the telematics and entertainment systems onboard the plane. Gadzooks!
#2: The vulnerability of much of today’s off-the-shelf and custom software, coupled with a lack of management focus on and support for security, is directly responsible for many of the data breaches, financial losses and other security-related problems that have occurred and will occur in the future.
My thoughts: ATTENTION C-Suite executives! The hacker community loves you! They want you to keep your heads buried in the sand so that they can continue to threaten the millions of dollars you have spent on building your loyal customer base and brand.
Need an example? The data breach at Target resulted in a number of serious and long-term problems:
- Target’s shareholder value dropped by $148 million.
- Net earnings for the company during the fourth quarter of 2013 were 46% lower than for the fourth quarter of 2012.
- Sales and the number of transactions during the fourth quarter of 2013 were 3.8% and 5.5% lower, respectively, than for the same period a year earlier.
- As of August 2013, Target estimated that the cost of the data breach to that point totaled $236 million.
#3: To address these issues, management must focus on security as a top priority in the software development process and must provide sufficient security-focused training to developers.
My thoughts: A good place to start is by addressing process and education. These are long-term investments that will pay off over time and take some time to implement, but eventually both will contribute significantly to changing the organization's culture to being proactive and proud of software security. In addition, there should be a focus on technology, implementing new tools that will assist the organization in collection, correlation and collaboration of security data and providing transparent views into risks from all levels.
IS THE PROBLEM OF SOFTWARE SECURITY TECHNOLOGICAL OR SOCIOLOGICAL?
Clearly there is an issue with software security – this white paper highlights that. But why does this issues exist? It's my contention that the issue of software security is more sociological than technical – it’s an issue of culture and complacency. Technology has been available to companies for a long time, enabling them to prevent the injection of software security risks into their products and allowing them to monitor and control their supply chain.
What we have found prevalent in our client accounts is that if executive management doesn't know or understand how such risks relate to company performance, then they don't know to care or how to proactively manage them. On the other hand, some executive teams don't want to understand what they don't know about software security by claiming that it's a technical issue that's beneath them.
The smart executive teams dig in and invest the time and money to build a risk framework that incorporates software security metrics into their management reports. This emphasizes software security as an important data point and shifts their software from being regarded as a liability to an important asset to proactively measure, understand, manage and mitigate risks. These executives are the hackers’ worst enemies.
But remember, the hackers only have to be right once – your software team and supply chain has to be right 100% of the time. An impossible task, perhaps, and a lot to ask, but we all should be swinging for the fences to protect our company, products and customers.
Read “The Need for Improved Software Quality” here.
PSC Vice President