WILMINGTON, Mass.--(BUSINESS WIRE)--Security Innovation and The Ponemon Institute today announced the release of its Current State of Application Security Report. The objective of the research was to better understand the maturity of an organization’s application security program in comparison to the core competencies of high-performing organizations. 642 IT professionals (both executive and technical positions) were asked specific questions concerning tools usage, development team knowledge, application security policies, and secure coding best practices.
“This collective data has shown that many organizations do not yet consider the need to proactively do something about application security. These organizations either don’t realize that applications pose the biggest threat to their business, or they’re taking a ‘do the least amount possible’ approach”
This report, a follow-up to last year’s Application Security Gap Study: A Survey of IT Security & Developers, measured security activities across each phase of software development, and identified gaps that create risk to the organization. The primary finding is that there is a much higher percentage of executive-level respondents who believe their organization is following security procedures throughout the SDLC (software development lifecycle) than do the technicians who the ones executing those activities. Amongst the findings:
- 71% of executives interviewed believe that application security training is available and up to date; yet, only 20% of technical staff had the same answer
- 67% of executives polled feel they have a mature application security program in place, compared to 33% of technical staff
- 75% of executives believe that secure architecture exists in their organization as opposed to 23% of technical staff
- 75% for Executives believe development teams are measured to determine compliance with secure architecture standards versus 23% of technical staff
"Research has shown that the application layer is responsible for over 90% of all security vulnerabilities, yet more than 80% of IT security spending continues to be at the network and endpoint layer,” said Dr. Larry Ponemon, founder of the Ponemon Institute. “Hopefully, our findings stimulate awareness of the importance of application security as part of an organizations’ overall risk management strategy, and encourages dialogue between executives and practitioners to ensure a common understanding of how to build and deploy more secure software applications.”
"This collective data has shown that many organizations do not yet consider the need to proactively do something about application security. These organizations either don’t realize that applications pose the biggest threat to their business, or they’re taking a ‘do the least amount possible’ approach,” said Ed Adams, CEO of Security Innovation. “Both mentalities are exactly the reason that hackers continue to target the application layer successfully; it is much weaker and easier to penetrate than network defenses. The technical staff seem to understand this; however, the executives, who hold the budget, clearly have a different perception.”
The State of Application Security
Most organizations do not identify, measure, or understand application security risks. Common characteristics of high-performing organizations with respect to application security include the creation or adoption of application security standards; training for the various roles, platforms and technologies; and regular assessments to identify shortcomings. This research confirms that most organizations are lacking in each area:
Standards & Policies
According to the findings, most organizations do not have a defined software development process in place, and for those organizations that do, security policies and requirements are often ad-hoc and not integrated into the SDLC. Lack of consistent policies and requirements in place makes it difficult to identify and remediate security vulnerabilities. Only 43% have corporate application security policies and 42% say their organizations have formal security requirements as part of the development process.
Training & Education
Despite the rapid change of technology and the rise of new platforms such as cloud and mobile, the majority of organizations do not have a formal application security training program in place. Related to this, more than 80% of technical staff report their organizations are not updating training and education programs for their development teams. Strikingly, between 66% and 71% of executives and directors think that they are updating internal training programs – and this is the group that approves budget spend.
Measurement & Assessment
Despite the many public breaches and attacks that have been reported, most organizations are still not testing their applications for security. Only 43% of respondents say they have a process in place to test for vulnerabilities prior to release, and only 41% are using automated scanning tools to test applications during development. Additionally, only 42% subject applications to a manual penetration testing efforts by internal teams or by a third party. Leveraging third party security audits for high-risk applications is an indicator of a high-level of maturity.
“Application security is a people business. Skill development follows interests and motivation,” said Dr. Sachar Paulus, VP of the International Secure Software Engineering Council (ISSECO) and former CSO of SAP. “Tools and services are wanted – but they are only used if felt of value, which requires training on how to focus on hot spots, interpret the results, and most important, remediate the vulnerabilities found.”
For more information on the report, please visit: https://www.securityinnovation.com/security-lab/research/the-state-of-application-security.html
About Security Innovation
Security Innovation is an authority in application security and offers solutions based on the three pillars of the Software Development Lifecycle (SDLC): standards, education and assessment. On a mission to help eliminate the root cause of most data breaches – insecure software applications – Security Innovation helps organizations build internal expertise, uncover critical vulnerabilities and integrate security into software applications. The company’s flagship training products include TeamMentor™ secure development standards and TeamProfessor™, the industry’s largest library of application security awareness and technical eLearning courses.
About Ponemon Institute
Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. The company’s mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.