The importance of building in security during software development
Checkmarx released the UK findings of its report which found that 45% of organizations have suffered at least two security breaches as a direct result of a vulnerable application. Alongside this, the report discovered 34% of UK organizations who had experienced a security breach relating to an application in the year preceding the survey have laid off employees seen as bearing responsibility.
Respondents of the survey, which was commissioned to spotlight the biggest security challenges that application security (AppSec) managers and software developers are facing in today’s threat landscape, also noted those who often bear the most responsibility for the security of applications as software developers (39%), and application security managers (32%). Only 10% stated CISOs or CSOs as those with the most responsibility within their organization.
Given 45% of respondents – which consisted of AppSec managers and software developers in UK organizations of over 1,000 employees – reported being breached twice in the last 12 months. With 22% having been breached three times, the survey has made it clear that security teams may be at risk, with organizations not adverse to penalising those deemed responsible for such security breaches.
What’s making an application vulnerable and leading to breaches?
The survey also looked at what led to these breaches, with 43% of respondents stating they suffered a software supply chain attack, an attack vector known to be a firm favourite among malicious threat actors. Other factors which contributed to breaches include cloud application misconfigurations (40%), malicious third-party packages or components (39%), and known, but unpatched, vulnerabilities (38%).
This data tells us that organizations can directly influence the likelihood of breaches by taking care of what’s in their control. Those who don’t will suffer negative business impacts, with respondents reporting these to be theft or loss of customer data (40%), loss of customers (39%), decline in customer trust (34%), intellectual property theft or loss (33%), and loss of revenue (32%).
Positively though, there is much to be learned from the breaches that happened over the last year and respondents believe greater application security – and therefore, overall security – can be achieved in 2022. The solutions to doing so, according to respondents, include having clear roles and responsibilities for AppSec managers and developers, having closer alignment between AppSec managers and developers, the better integration of application security testing solutions, and ensuing a commitment to improving the overall approach to ‘building in’ security during software development.