Risk across the phases of application security
A new Ponemon Institute study surveyed more than 800 IT Security and Development professionals from enterprise organizations to understand the perceptions both groups have about application security maturity.
The study revealed that organizations are suffering from a lack of knowledge, skills, remediation capabilities, prioritization and an overall lack of accountability for application security.
Companies are not prioritizing application security as a discipline, evidenced by the fact that 4 of 5 developers and 2/3 of security personnel do not have a process where they build security into their software applications.
47% of developers state that there is no formal mandate in place to remediate vulnerable software code.
“We set out to measure the tolerance to risk across the established phases of application security, and define what works and what hasn’t worked, how industries are organizing themselves and what gaps exist,” said Dr. Larry Ponemon, CEO, Ponemon Institute. “We accomplished that, but what we also found was a drastic divide between the IT Security and Development organizations that is caused by a major skills shortage and a fundamental misunderstanding of how an application security process should be developed. This lack of alignment seems to hurt their business based on not prioritizing secure software, but also not understanding what to do about it.”
According to the study, more than half of developers (59%) and close to half of security personnel stated that their company has experienced between 1-10 data breaches over the past 24 months due to an application(s) being compromised or hacked.
To compound the problem, exploited vulnerable code in Web 2.0/social media applications ranked as the second-highest root cause of data breaches, behind SQL injection attacks, according to 29% of developers and 24% of security personnel.
Notable statistics from the study:
- A mere 12% of security personnel responded that all of their organization’s applications meet regulations for privacy, data protection and information security. 15% of developers feel the same way.
- Close to half (44%) of the developers surveyed stated there is absolutely no collaboration between their development organization and the security organization when it comes to application security.
- 71% of developers feel security is not adequately addressed during the software development life cycle. Half (51%) of the security respondents feel the same way.
- Over half (51%) of developers and over half (51%) of security personnel have no training in application security.
- 60% of security respondents and 65% of developers stated that they do not test mobile applications in the production, development or quality assurance processes.