A recent study by the Ponemon Institute of more than 800 IT executives found a striking disconnect between perceptions of security controls between developers and security professionals. Developers largely say applications run by their enterprise are not secure, while security professionals are much more optimistic about the security of their applications.
Seven in 10 developers say security is not adequately addressed in their applications, but only half of security officers believe that. Almost 80% of developers said they have no process, or simply an ad hoc process, for building security controls into their applications. But, only 64% of security personnel said they have no formal process for building security into their enterprise applications.
Ponemon says the disconnect can be costly for businesses: Nearly 68% of developers say their applications have been compromised because of a security breach.
"Gaps in perceptions between security practitioners and developers about application security maturity, readiness and accountability indicate why many organisations' critical applications are at risk," the study said. "A lack of collaboration between the security and development teams makes it difficult to make application security part of an enterprise-wide strategy and to address serious threats."
Beyond a lack of collaboration between these two groups, the Ponemon Institute points to a lack of security training, noting that just over half of developers say they have no formal training in application security.
All of this is leading to enterprises that are admittedly not in compliance with security standards. The study found that less than 15% of security officials and developers say their applications meet security regulations for privacy and data protection and information security.
Ponemon recommends that enterprises take a closer look at their application security guidelines and invest in security personnel to specifically track protocols and ensure accountability.