Part 1 of 5 - the Facts of the Case
Security Innovation and the Ponemon Institute recently released our Current State of Application Security report, which was based on researched designed to better understand the maturity of an organization’s application security program in comparison to the core competencies of high-performing organizations. 642 IT professionals (both executive and technical positions) were asked specific questions concerning tools usage, development team knowledge, application security policies, and secure coding best practices.
The study, a follow-up to last year’s Application Security Gap Study: A Survey of IT Security & Developers, measured security activities across each phase of software development, and identified gaps that create risk to the organization. The research reveals serious disconnects between Executives and Practitioners as to perceived level of maturity and activities: there is a much higher percentage of executive-level respondents who believe their organization is following security procedures throughout the SDLC (software development lifecycle) than do the engineers who are closest to executing the security processes.
Key Findings of the research:
- Most organizations do not have a defined software development process in place
- Most organizations are not testing for application security
- Policies and requirements are often ad-hoc and not integrated into the SDLC
- The majority of organizations do not have a formal application security training program
- Most development teams are not measured for compliance with regulations and standards
- Most organizations do not identify, measure, or understand application security risks
- Significant disconnect exists between executives and practitioners regarding perceived levels of application security maturity and activities
Key data points:
- 71% of executives interviewed believe that application security training is available and up to date; yet, only 20% of technical staff had the same answer
- 67% of executives polled feel they have a mature application security program in place, compared to 33% of technical staff
- 75% of executives believe that secure architecture standards exists in their organization as opposed to 23% of technical staff
- 75% for Executives believe development teams are measured to determine compliance with secure architecture standards versus 23% of technical staff
These findings are concerning because research has confirmed that the application layer is responsible for over 90% of all security vulnerabilities, yet more than 80% of IT security spending continues to be at the network and endpoint layer. This lack of prioritization is the reason that hackers continue to target the application layer successfully; it is much weaker and easier to penetrate than network defenses. We are hoping that our findings stimulate awareness of the importance of application security as part of an organizations’ overall risk management strategy, and encourages dialogue between executives and practitioners to ensure a common understanding of how to build and deploy more secure software applications. The technical staff seems to understand this; however, the executives, who hold the budget, seem to have a different perception.
Common characteristics of high-performing organizations with respect to application security include:
- The creation or adoption of application security STANDARDS
- TRAINING for the various roles, platforms and technologies, so your teams understand how to implement your standards
- Regular ASSESSMENTS to identify shortcomings and measure effectiveness of your security program.
This research also showed that most organizations do not identify, measure, or understand application security risks and are lacking in each of the above areas. In my subsequent blogs, I’m going to describe in detail the report findings, but more importantly, helpful insight into how to avoid these maturity pitfalls.