The Ponemon Institute found in its 'Current State of Application Security Report' that there is a much higher percentage of executive-level respondents who believe their organization is following security procedures throughout the software development lifecycle (SDLC) than do the technicians who are the ones executing those activities.
To wit, a significant majority – 71% of executives interviewed – believe that application security training is available and up to date; yet, only 20% of technical staff had the same answer. About 67% of executives polled feel they have a mature application security program in place, compared to 33% of technical staff. And 75% of executives believe that secure architecture exists in their organization as opposed to just 23% of technical staff.
Further, 75% of executives believe development teams are measured to determine compliance with secure architecture standards versus 23% of technical staff.
This rather staggering disconnect translates into one dangerous over-arching reality: that many organizations do not yet consider the need to proactively do something about application security, and do not accurately identify, measure or understand application security risks.
These organizations either don’t realize that applications pose the biggest threat to their business, or they’re taking a ‘do the least amount possible’ approach,” said Ed Adams, CEO of study sponsor Security Innovation, in a statement. “Both mentalities are exactly the reason that hackers continue to target the application layer successfully; it is much weaker and easier to penetrate than network defenses. The technical staff seem to understand this; however, the executives, who hold the budget, clearly have a different perception.”
Common characteristics of high-performing organizations with respect to application security include the creation or adoption of application security standards; training for the various roles, platforms and technologies; and regular assessments to identify shortcomings. The research confirms that most organizations are lacking in each area.
According to the findings, most organizations do not have a defined software development process in place, and for those organizations that do, security policies and requirements are often ad-hoc and not integrated into the SDLC. Only 43% have corporate application security policies and 42% say their organizations have formal security requirements as part of the development process. And a lack of consistent policies and requirements in place makes it difficult to identify and remediate security vulnerabilities.
When it comes to training and education, more than 80% of technical staff report their organizations are not updating training and education programs for their development teams. Strikingly, between 66% and 71% of executives and directors think that they are updating internal training programs – and this is the group that approves budget spend.
“Application security is a people business. Skill development follows interests and motivation,” said Dr. Sachar Paulus, vice presidnet of the International Secure Software Engineering Council (ISSECO) and former CSO of SAP. “Tools and services are wanted – but they are only used if felt of value, which requires training on how to focus on hot spots, interpret the results, and most important, remediate the vulnerabilities found.”
Despite the many public breaches and attacks that have been reported, most organizations are still not testing their applications for security. Only 43% of respondents say they have a process in place to test for vulnerabilities prior to release, and only 41% are using automated scanning tools to test applications during development. Additionally, only 42% subject applications to a manual penetration testing efforts by internal teams or by a third party. Leveraging third-party security audits for high-risk applications is an indicator of a high-level of maturity.
"Hopefully, our findings stimulate awareness of the importance of application security as part of an organizations’ overall risk management strategy, and encourages dialogue between executives and practitioners to ensure a common understanding of how to build and deploy more secure software applications,” said Larry Ponemon, founder of the Ponemon Institute.
The firm recently found that executive-IT staff disconnects are becoming endemic when it comes to security. In fact, gaps in understanding between IT staff and executives when it comes to cybersecurity is tracking to the rate at which advanced and zero-day attacks against businesses are growing. Ponemon researchers recently found that there is a clear difference between the confidence of executive teams when it comes to UK business’ cyber-defense strategy, compared with the views of the technicians tasked with maintaining it. Specifically, 32% of executives described their organization’s cybersecurity posture as “excellent.” But only 18% of technicians did.
Ponemon also found that 77% of executives feel their organizations’ cybersecurity strategy is aligned with overall business objectives, compared to 97% of technicians. This discrepancy suggests that technicians are clearly failing to frame their needs in language that is understood by IT decision makers – something that is leading to a culture of miscommunication, and is preventing many organizations from developing a robust cyber defense strategy.