Well it is really about time that firms figure out that is you look at the development cycle, you might find the vulnerabilities before you place you applications into production. An ounce of prevention is truly worth more that a pound of cure.

Having a third party review you app really does make sense. Its a bit more expensive on the front end, but you save a lot down the road by not being hacked, not having to spend money on testing a production environment and keeping you name out of the paper. Secure coding is such an obvious fix yet most companies do not spend nearly enough on dong this.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
Managed Security Services



++++++++++++++++++++++++++++++++
More companies seek third-party Web app code review, survey finds
By Robert Westervelt, News Editor
24 Mar 2009 | SearchSecurity.com
Companies are paying closer attention to secure software development to reduce shoddy code, which often results in gaping holes that expose sensitive information, according to a new survey conducted by the OWASP Foundation.
The OWASP Security Spending Benchmark Report surveyed about 50 organizations to determine their spending on secure coding; OWASP found that 61% of those surveyed had an independent third-party security review of software code to find flaws before Web applications are used live. The percentage surprised Boaz Gelbord, executive director of information security at Wireless Generation Inc., who organized the report with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc. Gelbord said the predominant thinking has been that companies are conducting code review in-house if they're doing it at all.

"One thing that cuts across all the statistics is a growing approach toward secure coding," Gelbord said of the survey.

It's OWASP's first survey on secure software development budgets. Gelbord said the organization is trying to measure spending habits and over time gauge whether companies are placing an emphasis on building applications with more secure software code. The goal of the project is to establish an industry accepted benchmark for justifying overall Web application security spending, Gelbord said.

About half of the respondents consider security experience as at least somewhat important in hiring new developers. The figure is a positive sign that companies are trying to place a greater emphasis on secure software development, Gelbord said. The majority of those surveyed also said they provide software security training both internally and externally.

Spending on Web application development is expected to be flat or rise slightly during the economic downturn. But the survey results were somewhat inconclusive. The survey found that Web application security represents 10% of security spending in 36% of the companies surveyed. Another 33% of firms surveyed did not know what portion of security spending is on Web applications.