If you have any role at all regarding security in the application development process – especially a leadership role that oversees development – you simply must read a new report by the Ponemon Institute and the application security company Security Innovation. You’ll find “The State of Application Security” here. (Behind registration form) To me, this report is absolutely alarming.
The report is based on a survey by the Ponemon Institute of more than 640 IT professionals in executive level and software engineering or development positions across a variety of industries. The respondents are primarily focused on developing applications for their organizations’ own use. In other words, most of these people are not creating software for commercial sale—but major businesses like insurance companies and banks are using these applications to run their business processes.
The report lists 7 key findings based on the data gathered:
- Security is inadequately addressed during the software development process.
- Most organizations are not testing for application security.
- Policies and requirements are often ad-hoc and not integrated into the software development life cycle (SDLC).
- The majority of organizations do not have a formal application security training program.
- Most development teams are not measured for compliance with regulations and standards.
- Most organizations do not identify, measure, or understand application security risks.
- Significant disconnect exists between executives and practitioners regarding perceived levels of application security maturity and activities.
What these findings are saying is that companies don’t really care about building security into the software development life cycle. Not only does it put these companies at risk of data breaches and hacking attacks, but it puts at risk everyone whose data comes in contact with a poorly secured application. Maybe it’s your application for a home mortgage, or a charity’s list of financial donors, or a hospital’s patient information.
Dr. Larry Ponemon says, “The application layer is by far the layer with the most vulnerabilities, but most companies spend the majority of their security budget on endpoint protection and network security. While security at those levels is certainly a good thing, executives seem to be ignoring and disillusioned and misinformed about what they are doing with respect to software security or application security.”
Ed Adams, CEO of Security Innovation and sponsor of the survey, says “In the last 8 to 10 years, the number one security vulnerability has been SQL injection.” (It’s certainly at the top of the OWASP “2013 Top 10 List.”) According to Adams, “This is our best understood and most easy-to-defend-against software security threat, and yet it has remained at the top of the vulnerability lists for years.” Adams says that many of his company’s remediation engagements come after a business has had an incident tied to software failures. “So many of these problems are preventable. Companies aren’t putting the time and effort into building the standards they need and educating their developers on even just the top 5 security threats. If they would do that much, this would cover 80% of data breaches and vulnerabilities.”
Some of the interesting insights to come out of this report include the following:
Lack of defined process: Only 43% of respondents say their organizations have a defined software development process in place. Of these, 69% adhere to the defined process, meaning that only 30% of organizations have a defined software development process that they really adhere to.
Lack of coding standards: 55% of respondents say their organization lacks defined secure coding standards, and 58% of respondents do not review code for adherence to secure coding standards.
Insufficient training: While the organizations may have some type of training in place, a majority (60%) of organizations are not updating internal training and education to ensure development teams are capable of adhering to application security policies and best practices.
Disconnect between executives and people in the trenches: 75% of executives believe that defined secure architecture standards are in place, but only 23% of technicians agree their organizations have defined secure architecture standards. Furthermore, most executives (71%) believe internal training and education programs are updated to ensure that the development teams are capable of adhering to the latest threats, application security policies and best practices, while only 19% of technical professionals believe this.
That last set of statistics is very telling of why problems persist in securing applications. Executives who hold the purse strings and set direction have one perception of how their teams are doing, while people who are actually doing the work, for the most part, don’t agree. Until this communication gap is bridged and everyone places a much higher emphasis on ensuring that security standards are set and met during the development life cycle, we are doomed to continue experiencing application security breaches.