In this Security Innovation sponsored Ponemon study 567 IT security practitioners were asked about the following topics:

  • Application security processes considered most effective
  • Adoption and use of technologies that are affecting the state of application security
  • Gaps between people, process and technology and the affect they have on the enterprise
  • Different perceptions security and development practitioners have about application maturity, readiness and accountability
  • Threats to the application layer, including emerging platforms
  • Application-layer links to data breaches

Key findings from the research include:

  • 12% of security personnel responded that all of their organization’s applications meet regulations for privacy, data protection and information security. And 15% of developers feel the same way
  • 44% of the developers surveyed stated there is absolutely no collaboration between their development organization and the security organization when it comes to application security
  • 71% of developers feel security is not adequately addressed during the software development life cycle. And 51% of the security respondents feel the same way
  • 51% of developers and the same percentage of security personnel say their organizations do not have a training program on application security
  • 60% of security respondents and 65% of developers stated that they do not test mobile applications in the production, development or Q/A processes

Based on the research findings, Ponemon organised the key findings according to the following five themes:

  1. Application security is often not a priority
  2. There is uncertainty about how to fix vulnerable code in critical applications
  3. A lack of knowledge about application security is resulting in a high rate of data breaches
  4. Developers and security practitioners have different perceptions about accountability and collaboration to improve application security
  5. Mobile technology and social media platforms are putting organizations at risk

1. Application security is not a priority

The one area both security and developers agree upon is the lack of resources for application security.

  • 63% state that application security consumes 20% or less of their overall IT security budget
  • 64% of security practitioners state they either have no process, such as systems development life cycle (SDLC) at all, or an inefficient ad-hoc process for building security into their applications
  • 79% of developers say they either have no process or an inefficient, ad-hoc process for building security into their applications
  • 71% of developers believe security is not adequately addressed during the software development life cycle, 51% of the security respondents agree. In many cases, security is built in during the post-launch phase of the software development cycle and bugs are fixed during the launch phase.
  • Typically organizations are waiting for the launch phase or post-launch phase to address security issues in application development with 57% of security practitioners and 76% of developers say this is the case in their organizations
  • 36% of security practitioners and 16% of developers say it is addressed early in the application development life-cycle
  • 57% of security practitioners and 76% of developers believe the launch phase and the post-launch phase is when patching and fixing bugs becomes the most costly and time consuming

2. There is uncertainty about how to fix vulnerable code in critical applications

  • 47% of developers and 29% of security practitioners say their organization has no mandate to remediate vulnerable code
  • 9% of developers say it is driven through the security organization, where the development of organization remediates according to best practices. However, more of the security practitioners believe this to be the case.
  • 51% of both developers and security practitioners say their organizations do not have training in application security
  • 22% of security practitioners say their organization have a fully deployed program compared to 11% of developers
  • When asked what the development team uses to ensure they are successful in remediating potentially vulnerable code or fixing bugs 46% of security respondents and 51% say they predominantly use homegrown solutions to remediate vulnerable code. Less than half of both security and developers cite the successful use of other methods

3. A lack of knowledge about application security is resulting in a high rate of data breaches

  • comprised or hacked applications have caused at least one data breach in 68% of the developers’ organizations and 47% of the security practitioners’ organizations over the past 24 months
  • 19% of security practitioners and 16% of developers are not sure if they had a data breach as a result of an application being compromised or hacked

A lack of compliance with regulations could also contribute to the high occurrence of data breaches

  • 12% of security personnel say that all their organization’s applications meet regulations for privacy, data protection and information security and only 15% of developers believe their organizations are in compliance

4. Developers and security practitioners have different perceptions about accountability and collaboration to improve application security

A lack of collaboration between developers and security practitioners in order to improve application security practices is putting data at risk

  • 44% of developers say there is absolutely no collaboration between their function and the security function regarding application security
  • 12% of security practitioners say there is significant collaboration and 69% say there is at least some collaboration exists with the developers.
  • 28% believe the CISO should be primarily responsible for ensuring security in the application development life cycle in their organization
  • 42% of development respondents from the sample stated that no one person within their organization has primary responsibility for ensuring security in the application development life cycle

5. Mobile technology and Web 2.0 attacks put organizations at risk

  • 39% of developers and 30% of security practitioners believe the most serious threat to application security in the next 12 to 24 months. The next most significant threat is attacker infiltration through Web 2.0 applications.
  • 51% of developers and 40% of security respondents say insecure mobile applications will disrupt business operations at their organizations
  • 42% of developers and 33% of security practitioners worry about insecure applications

The study has produced several startling facts especially after so many Data Breaches in 2011 and the consistent message under PCI DSS requirement 6 as well as the Data Protection laws have been making developers and companies looking at the issue.

.

Advertisements