The current state of application security

New research offers a better way to understand the maturity of an organization’s application security program in comparison to the core competencies of high-performing organizations. 642 IT professionals (both executive and technical positions) were asked specific questions concerning tools usage, development team knowledge, application security policies, and secure coding best practices.

This report by Security Innovation and The Ponemon Institute measured security activities across each phase of software development, and identified gaps that create risk to the organization.

The primary finding is that there is a much higher percentage of executive-level respondents who believe their organization is following security procedures throughout the SDLC (software development lifecycle) than do the technicians who the ones executing those activities.

Amongst the findings:

• 71% of executives interviewed believe that application security training is available and up to date; yet, only 20% of technical staff had the same answer
• 67% of executives polled feel they have a mature application security program in place, compared to 33% of technical staff
• 75% of executives believe that secure architecture exists in their organization as opposed to 23% of technical staff
• 75% for Executives believe development teams are measured to determine compliance with secure architecture standards versus 23% of technical staff.

“Research has shown that the application layer is responsible for over 90% of all security vulnerabilities, yet more than 80% of IT security spending continues to be at the network and endpoint layer,” said Dr. Larry Ponemon, founder of the Ponemon Institute. “Hopefully, our findings stimulate awareness of the importance of application security as part of an organizations’ overall risk management strategy, and encourages dialogue between executives and practitioners to ensure a common understanding of how to build and deploy more secure software applications.”

“This collective data has shown that many organizations do not yet consider the need to proactively do something about application security. These organizations either don’t realize that applications pose the biggest threat to their business, or they’re taking a “do the least amount possible’ approach,” said Ed Adams, CEO of Security Innovation.

“Both mentalities are exactly the reason that hackers continue to target the application layer successfully; it is much weaker and easier to penetrate than network defenses. The technical staff seem to understand this; however, the executives, who hold the budget, clearly have a different perception,” Adams added.

Most organizations do not identify, measure, or understand application security risks. Common characteristics of high-performing organizations with respect to application security include the creation or adoption of application security standards; training for the various roles, platforms and technologies; and regular assessments to identify shortcomings. This research confirms that most organizations are lacking in each area:

Standards and policies

According to the findings, most organizations do not have a defined software development process in place, and for those organizations that do, security policies and requirements are often ad-hoc and not integrated into the SDLC. Lack of consistent policies and requirements in place makes it difficult to identify and remediate security vulnerabilities. Only 43% have corporate application security policies and 42% say their organizations have formal security requirements as part of the development process.

Training and education

Despite the rapid change of technology and the rise of new platforms such as cloud and mobile, the majority of organizations do not have a formal application security training program in place. Related to this, more than 80% of technical staff report their organizations are not updating training and education programs for their development teams. Strikingly, between 66% and 71% of executives and directors think that they are updating internal training programs – and this is the group that approves budget spend.

Measurement and assessment

Despite the many public breaches and attacks that have been reported, most organizations are still not testing their applications for security. Only 43% of respondents say they have a process in place to test for vulnerabilities prior to release, and only 41% are using automated scanning tools to test applications during development. Additionally, only 42% subject applications to a manual penetration testing efforts by internal teams or by a third party. Leveraging third party security audits for high-risk applications is an indicator of a high-level of maturity.

The complete report is available here (registration required).