State of Application Security: Immature Practices Fuel Inefficiencies, but Positive ROI Is Attainable

In November 2010, Microsoft commissioned Forrester Consulting to conduct a survey study of 150 North American software development influencers. The purpose of the study is to understand the current state of application security development practices and identify key trends and market directions for application security.

The key findings of this study are the following:

  • Application security is not a mature practice for many.  A significant percentage of respondents do not employ a coordinated end-to-end approach to application security throughout their development life-cycle.
  • In general, application security remains a tactical concern versus a strategic initiative.   The respondents picked compliance as the top argument for convincing management to invest in application security. Whenever compliance is the main driver, organizations tend to do the bare minimum needed to become compliant, rather than focusing on best practices and long-term objectives.
  • Accountability and incentives to promote secure software development are lacking.
  • Those employing a more coordinated, prescriptive approach to application security saw more positive ROIs.


Therefore, organizations that desire to improve their application security competency should treat application security strategically, not tactically — integrating security practices throughout the development life cycle, adopting industry-recognized methodologies, incentivizing and measuring developers for security, and tying security to overall business objectives.

Definitely worthwhile reading this, so download the full paper here.  Where would you position your organization?

By the way, did I already mention that there are a lot of resources out there to help you?