Survey Reveals Gap between Application Security Importance, Commitment

Results indicate deadlines and competitive pressures often take precedence over security in go-to-market timing

Cupertino, Calif. -- Sept. 27, 2006 -- Results from a recent Symantec Corp. survey show that awareness is growing among software developers about the need to improve application security and implement a more holistic approach to secure coding. According to a June 2006 survey of 400 U.S.-based software developers commissioned by Symantec, 93 percent felt that secure application development was a higher priority now than three years ago. Also, 70 percent indicated that their employers emphasize the importance of application security and 74 percent indicated that security was a high priority in their development process, yet only 29 percent stated that security was always part of the development process.

“Increasing security for applications that will be used by consumers and businesses has become a priority for companies around the world. As the gateway to information over the Internet and internal corporate networks, applications have become a company’s greatest asset and, in turn, an attacker’s primary objective,” said Charlie Johnson, vice president, Symantec Global Consulting Services. “Application security plays a large role in one of the biggest problems plaguing online business as consumers move toward a digital lifestyle.”

Appropriate application security requires the use of various tools and procedural methods to ensure deployed applications are adequately protected against external threats. Security measures built into applications and a sound secure application development process minimize the likelihood that hackers will be able to manipulate applications to access, steal, modify, or delete sensitive data.

Symantec’s March 2006 Internet Security Threat Report validated the growing trend in industry Web-application vulnerabilities and the need for more secure applications. Between July and December 2005, 69 percent of vulnerabilities were associated with Web applications, a 15 percent increase over the first half of 2005. Additionally, Symantec documented 40 percent more vulnerabilities in the industry in 2005 than in 2004. During the second half of 2004, Web applications accounted for 49 percent of all vulnerabilities.

To gauge respondents’ understanding of and experience with application security, Symantec surveyed developers on the level of training received by personnel with regard to application security, the level of corporate commitment and awareness among developers with regard to application security, and processes and practices in place within companies.

While the survey indicated that secure coding was considered a high priority by management, only 12 percent of respondents indicated that security always takes priority over meeting competitive deadlines and time to market pressures. The survey results also underscored the need for continued education for developers. Only 40 percent of respondents had received formal training on secure coding through their employer. Furthermore, although two-thirds of respondents regularly incorporate security as part of the QA process, still roughly one third of respondents have not yet integrated security into their QA process.

Symantec commissioned Applied Research to conduct the survey.

About the Company

Symantec Secure Application Services are offered worldwide by Symantec’s Consulting Services organization, which provides organizations with best-practice security measures through comprehensive assessments, planning, and design consultation, and are backed by Symantec’s unparalleled research, methodologies, and consulting expertise. More information is available by calling toll-free 1-800 745 6054 or visiting http://ses.symantec.com/secureapps.

Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. More information is available at http://www.symantec.com.