Ponemon & Security Innovation Research: Our Vulnerable State of Application Security Maturity

Posted by Jason Taylor on September 26, 2013 at 10:31 AM
Find me on:

Part 2 of 5 – The importance of Standards & Policies

To view the previous post in this five-part series, click here.

Application security policies are focused on how applications are securely developed. The goal of an application security policy is to define the business’s security expectations for the development organization. This is often stated in the context of a larger information security policy that is defined by the information security or risk management teams.

According to the research findings, most organizations do not have a defined software development process in place, and for those organizations that do, security policies and requirements are often ad-hoc and not integrated into the SDLC. Lack of consistent policies and requirements in place makes it difficult to identify and remediate security vulnerabilities. Plus, a lack of application security standards means there is no baseline against which to measure compliance or security quality of any given application.

Defined standards are missing in a majority of organizations represented in this study:

  • 58% of respondents indicating that they do not review code for adherence to secure coding standards
  • Only 43% have corporate application security policies, and 42% say their organizations have formal security requirements as part of the development process
  • 56% of respondents either did not have application security policies, or didn’t know where they could be found
  • 58% do not use security requirements as part of the software development process

Without a set of application security policies, development teams have no set of business requirements defining how they should prioritize and think about security in the context of all the other work they have to get done. The result is that security is not prioritized and either slips to the very end, when it’s too late to do much good, or it never gets done at all - making it impossible to effectively prioritize threats and mitigate risks.

Application security policies should be tied to business objectives and business requirements and then translated into standards that are specific to the technology and applications that your development team is building.

An effective application security policy has the following attributes:

  • Clearly states what must be done
  • Clearly states why it matters
  • Technology agnostic, widely applicable
  • Tied to a real business objective
  • Deployed in such a way that it is easy to access and maintain

Topics: application security, cybersecurity news

Jason Taylor

Written by Jason Taylor

Jason Taylor leads the strategic direction for all of Security Innovation’s engineering and technology initiatives. He was the designer of our "Creating Secure Code" methodology which has been implemented at many of the world's largest technology organizations. He is a Microsoft Developer MVP for Security and has co-authored ten security guides with the Microsoft Patterns & Practices team.