{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1400px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

Ponemon & Security Innovation Research: Our Vulnerable State of Application Security Maturity

by Jason Taylor on September 26, 2013

Part 2 of 5 – The importance of Standards & Policies

To view the previous post in this five-part series, click here.

Application security policies are focused on how applications are securely developed. The goal of an application security policy is to define the business’s security expectations for the development organization. This is often stated in the context of a larger information security policy that is defined by the information security or risk management teams.

According to the research findings, most organizations do not have a defined software development process in place, and for those organizations that do, security policies and requirements are often ad-hoc and not integrated into the SDLC. Lack of consistent policies and requirements in place makes it difficult to identify and remediate security vulnerabilities. Plus, a lack of application security standards means there is no baseline against which to measure compliance or security quality of any given application.

Defined standards are missing in a majority of organizations represented in this study:

  • 58% of respondents indicating that they do not review code for adherence to secure coding standards
  • Only 43% have corporate application security policies, and 42% say their organizations have formal security requirements as part of the development process
  • 56% of respondents either did not have application security policies, or didn’t know where they could be found
  • 58% do not use security requirements as part of the software development process

Without a set of application security policies, development teams have no set of business requirements defining how they should prioritize and think about security in the context of all the other work they have to get done. The result is that security is not prioritized and either slips to the very end, when it’s too late to do much good, or it never gets done at all - making it impossible to effectively prioritize threats and mitigate risks.

Application security policies should be tied to business objectives and business requirements and then translated into standards that are specific to the technology and applications that your development team is building.

An effective application security policy has the following attributes:

  • Clearly states what must be done
  • Clearly states why it matters
  • Technology agnostic, widely applicable
  • Tied to a real business objective
  • Deployed in such a way that it is easy to access and maintain

Topics: application security, cybersecurity news

Most Recent

What's Trending

Featured Resource