In late 2004, Paladion commissioned Datamonitor to study the security testing trends among 68 ISVs. Here we present the results of the survey and share the white paper with you.
According to CERT, the number of vulnerabilities discovered in 2004 was as high as 3,780 as compared to 1000 in 2000. As hacking and virus incidents increase, CIOs are becoming concerned about the threats faced by their organizations. Customers are holding the Independent Software Vendors (ISVs) responsible for the high number of software holes.
In late 2004, Paladion commissioned Datamonitor to study the security testing trends among 68 ISVs. Datamonitor conducted the survey to see how many ISVs are seriously considering software security testing. The survey found that as many as 91% of the ISVs interviewed have a formal security testing program in place. However, the growing number of vulnerabilities indicate that the testing is not effective enough to catch all the security holes.
Ineffective testing forces us to think about who is conducting these security tests. The survey reveals that 47% of ISVs rely on internal knowledge and QA teams for testing. Only 9% turn to specialist help outside. This could mean the internal testing that most ISVs do is not thorough enough to check for all insecurities, the reasons being:
Software developers do not have the right mindset to foresee the vulnerabilities their coding practices can lead to.
Internal testing teams do not have the required skills and mindset to carry out a completely effective testing exercise
Internal teams find it difficult to keep up with the changing attack patterns
On a positive note, Datamonitor found that ISVs are realizing the ineffectiveness of their security testing programs and the need for specialized expertise. The survey shows that about a third of the ISVs interviewed are planning to hire external security consultants. The whitepaper prepared by Datamonitor containing the full results of the survey is available online here --