To be released to the public on March 20th: results of new research from The Ponemon Institute, IBM, and Security Innovation. The study analyzed over 800 InfoSec/IT and software development professionals to understand  the application security maturity (ASM) in their organizations – the skill levels, procedures followed, and tools adopted to create and deploy secure software applications.  The results are staggering. Here are some advance peeks:

  • Enterprise organizations aren’t prioritizing application security
    • 64% of security personnel state they either have no process (like a Secure SDLC) at all, or an inefficient ad-hoc process for building security into their applications. 79% of developers state the same.
  • Application Security Know-how is Sorely Lacking
    • 71% of developers feel security is not adequately addressed during the software development life cycle
    • 47% of developers state that there is no formal mandate in place to remediate vulnerable application code
    • Over half (51%) of developers and over half (51%) of security personnel have no training in application security.
    • 54% of developers feel fixing security bugs is a significant drain on their company's time and budget
    • The most common primary mean of securing Web-facing applications is a network firewall (good grief!)