2012 study on application security: - isaca
TRANSCRIPT
2012 Study on Application Security:2012 Study on Application Security:A S f IT S it d D lA S f IT S it d D lA Survey of IT Security and DevelopersA Survey of IT Security and Developers
Ed Adams, CEOSecurity Innovation
Dr. Larry PonemonPonemon Institute
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
Today’s webinar:Today’s webinar:
• Text in questions using the Ask A Question button
• All audio is streamed over your computer– Having technical issues? Click the ? ButtonHaving technical issues? Click the ? Button
• Download the slide deck from the Event Home Page
• No CPEs being offered for this event
• Question or suggestion? Email them to [email protected]
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2
PonemonPonemon InstituteInstitute LLCLLC
• The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and p p y p y pgovernment.
• The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizationspublic sectors and verifies the privacy and data protection practices of organizations.
• Ponemon Institute is a full member of CASRO (Council of American Survey Research organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.
• The Institute has assembled more than 60+ leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principlesthe RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.
• The majority of active participants are privacy or information security leaders.
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 3
About this researchAbout this research• This research was conducted to understand the perceptions both security
and development practitioners have about application security maturity
• Key topics include:
– Adopted processes considered most effective– Adoption and use of technologies that are affecting the state of
application security– Gaps between people, process and technology and the affect they have
on the enterprise– Different perceptions security and development practitioners have about
application maturity readiness and accountabilityapplication maturity, readiness and accountability– Threats to the application layer, including emerging platforms– Application-layer links to data breaches
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 4
Respondent StatisticsRespondent Statistics
Sample response Security DeveloperU.S. Sample frame 14,997 6,962 Returned surveys 665 301Returned surveys 665 301 Rejected surveys 98 45 Final sample 567 256 Response rate 3.8% 3.7%
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 5
Ponemon Institute: Private and Confidential
Attributions about the maturity of IT Attributions about the maturity of IT security activitiessecurity activitiessecurity activitiessecurity activities
58%
44%
38%
Security technologies are adequate in protecting our information
Application security is a top priority in my organization
50%
53%
54%
39%
37%
44%
IT security strategy is fully aligned with the business strategy
Security & data protection policies are well‐defined and fully understood by employees
Security technologies are adequate in protecting our information assets and IT infrastructure
46%
48%
50%
33%
41%
The IT security function is able to prevent serious cyber attacks such as advanced persistent threats
Appropriate steps are taken to comply with the leading IT security standards
y gy y g gy
41%
42%
35%
35%
31%
IT security can hire and retain knowledgeable and experienced
The IT security leader is a member of the executive team
IT security responds quickly to new challenges and issues
36%
40%
34%
35%
0% 10% 20% 30% 40% 50% 60% 70%
There are ample resources to ensure all IT security requirements are accomplished
IT security can hire and retain knowledgeable and experienced security practitioners
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 6
Developers Security
Ponemon Institute: Private and Confidential
Key ThemesKey Themes
Application security is often not a priority.
There is uncertainty about how to fix vulnerable code in critical applications.
A lack of knowledge about application security is resulting in a high rate of data breaches.
A lack of accountability and discrepancy in priorities exists in many enterprises.
Mobile technology and social media platforms are putting organizations at risk.
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 7
A li ti it iApplication security is often not a priorityp y
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 8
Then what are organizations prioritizing?Then what are organizations prioritizing?And what does this mean?And what does this mean?
79% of developers have an ad-hoc, 64% of security personnel have an ad-por no process for building security
into applications.
y phoc, or no process for building security
into applications.
71% of developers feel security is not addressed in
the SDLC.
71% of developers feel security is not addressed in
the SDLC.
51% of security personnel feel security is not
addressed in the SDLC.
51% of security personnel feel security is not
addressed in the SDLC.the SDLC.the SDLC. addressed in the SDLC.addressed in the SDLC.
30% of developers build security into the post-launch
phase.
30% of developers build security into the post-launch
phase.
13% of security personnel feel code-induced threats represent a greater threat
than the human factor.
13% of security personnel feel code-induced threats represent a greater threat
than the human factor.
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 9
Please choose one statement that best describes Please choose one statement that best describes security threats in your organization todaysecurity threats in your organization todayy y g yy y g y
41%
44%
41%Human and code-induced threats are equal in
terms of inherent security risk
43%
21%Human factor threats present a greater inherent
security risk than code-induced threats
13%
38%Code-induced threats present a greater inherent
security risk than human factor threats
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Developer Security
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 10
Ponemon Institute: Private and Confidential
Does your organization have a process for ensuring that Does your organization have a process for ensuring that security is built into new applications?security is built into new applications?
46%50%
36%
43%
33%
46%
35%
40%
45%
21%21%
15%
20%
25%
30%
0%
5%
10%
15%
Yes, we have a standardized process
Yes, we have a non-standardized or “ad hoc” process
No, we don’t have a process
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 11
Ponemon Institute: Private and Confidential
In your opinion, is security adequately emphasized In your opinion, is security adequately emphasized during the application development lifecycle?during the application development lifecycle?g pp p yg pp p y
71%80%
51% 49%
71%
50%
60%
70%
%
29%30%
40%
50%
10%
20%
0%Yes No
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 12
Ponemon Institute: Private and Confidential
Where in the application development lifecycle Where in the application development lifecycle does your organization build in security features?does your organization build in security features?M th h i itt dM th h i itt dMore than one choice permittedMore than one choice permitted
35%31%
29% 30%
25%
30%
17%
13%
19% 18%
21%
12%15%
20%
10%12%
5%
10%
0%Design phase Development phase Launch phase Post-launch phase Unsure
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 13
Ponemon Institute: Private and Confidential
Th i t i t b t h tThere is uncertainty about how to fix vulnerable code in critical
li tiapplications
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 14
Organizations can’t identify a starting point…Organizations can’t identify a starting point…And are they looking at the other organization to get it done.And are they looking at the other organization to get it done.
47% of developers state that there is no formal mandate in place to 29% of security personnel state that no formal mandate in place to
remediate vulnerable application code.
y pthere is no formal mandate in place to remediate vulnerable application code.
51% of developers have no training in application
security.
51% of developers have no training in application
security.
51% of security personnel have no training in application security.
51% of security personnel have no training in application security.security.security. application security.application security.
54% of developers feel54% of developers feel 46% of security personnel46% of security personnel54% of developers feel fixing bugs/patching
applications is a drain on their company’s time and
budget
54% of developers feel fixing bugs/patching
applications is a drain on their company’s time and
budget
46% of security personnel say the major attack
methodology in breaches over the past 24 months is
SQL injection
46% of security personnel say the major attack
methodology in breaches over the past 24 months is
SQL injection
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 15
budget.budget. SQL injection..SQL injection..
How does your organization mandate the How does your organization mandate the remediation of vulnerable code? remediation of vulnerable code? O b t h iO b t h iOne best choiceOne best choice
29%47%No formal mandate to remediate vulnerable code
exists
28%
29%
9%It’s driven through the security organization, where the development organization remediates according
to best practices
exists
11%
21%
13%
19%
Compliance mandates drive the process and the risk group is responsible for pushing the directive
Development or engineering drives the process without any mandate from security
6%
11%
5%External auditors provide the mandate, which then gets pushed down through the corporate risk group
down to security and development teams
5%7%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Other (please specify)
S
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 16
Ponemon Institute: Private and Confidential
Developer Security
Has your organization deployed a training Has your organization deployed a training program on application security?program on application security?p g pp yp g pp y
36%37% 37%40%
25%
30%
35%
22% 23%
15% 14%15%
20%
25%
4%
11%
5%
10%
15%
1%0%
Yes, fully deployed Yes, partially deployed
No, but we plan to deploy in the next 12
to 24 months
No Unsure
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 17
Ponemon Institute: Private and Confidential
Security Developer
What does your development team use to ensure they are What does your development team use to ensure they are successful in remediating potentially vulnerable code or fixing bugs?successful in remediating potentially vulnerable code or fixing bugs?More than one choice permittedMore than one choice permittedpp
46%51%Homegrown solution
24%
45%
46%
16%
23%
49%
A b t ki /d b i t l
Static analysis solution
Training or education as needed
Homegrown solution
14%
18%
18%
4%
15%
15%
16%
Dynamic analysis solution
An IDE system (Integrated Development …
A bug tracking/de-bugging tool
5%
5%
5%
13%
12%
4%
Google as a reference
Wikipedia as a reference
Other (please specify)
0% 10% 20% 30% 40% 50% 60%
Developer Security
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 18
Ponemon Institute: Private and Confidential
What type of attack methods may have compromised your What type of attack methods may have compromised your organization’s data in a recent breach or security exploit?organization’s data in a recent breach or security exploit?More than one choice permittedMore than one choice permittedMore than one choice permittedMore than one choice permitted
42%SQL injection attack at the application layer
23%
24%
46%
25%
29%
Cross-site scripting attack at the application layer
Exploit of insecure code through use of a Web 2.0 application
SQL injection attack at the application layer
13%
17%
23%
19%
18%
Exploit of insecure software code on a mobile device
Privilege escalation attack at the application layer
19%
8%
17%
5%
Unsure
Other attack methodology at the application layer
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Developer Security
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 19
Ponemon Institute: Private and Confidential
A l k f k l d b tA lack of knowledge about application security is resulting i hi h t f d t b hin a high rate of data breaches
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 20
Breaches continue to happen at the application level. Breaches continue to happen at the application level. Yet budget prioritization leans toward the network…Yet budget prioritization leans toward the network…
Two-thirds of developers have experienced between 1 10 breaches
Half of security personnel state experienced between 1 10 breachesexperienced between 1-10 breaches
in the past 24 months due to insecure applications.
experienced between 1-10 breaches in the past 24 months due to insecure
applications..
15% of developers feel all of their organization’s
applications meet security l ti
15% of developers feel all of their organization’s
applications meet security l ti
12% of security personnel feel all of their
organization’s applications t it l ti
12% of security personnel feel all of their
organization’s applications t it l tiregulations.regulations. meet security regulations.meet security regulations.
16% of developers don’t16% of developers don’t 19% of security personnel19% of security personnel16% of developers don t know if a breach has even
occurred within their organization at the application layer
16% of developers don t know if a breach has even
occurred within their organization at the application layer
19% of security personnel don’t know if a breach has even occurred within their
organization at the application layer
19% of security personnel don’t know if a breach has even occurred within their
organization at the application layer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 21
application layer.application layer. application layer.application layer.
How often over the past 24 months has your organization How often over the past 24 months has your organization experienced a data breach or security exploit as a result of experienced a data breach or security exploit as a result of an application being compromised or hacked?an application being compromised or hacked?an application being compromised or hacked?an application being compromised or hacked?
45%
34%32%
40%
30%
35%
40%
19%16%
19%16%
20%
25%
30%
11%
4%
9%
5%
10%
15%
0%Zero (0) 1 to 5 6 to 10 More than 10 Unsure
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 22
Ponemon Institute: Private and Confidential
To the best of your knowledge, are your organization’s To the best of your knowledge, are your organization’s applications compliant with all regulations for privacy, data applications compliant with all regulations for privacy, data protection and information security?protection and information security?protection and information security?protection and information security?
45%50%
34%37%
32%
45%
35%
40%
45%
20%
25%
30%
12%15%
2%
11% 11%
5%
10%
15%
2% 1%0%
Yes, for all applications
Yes, for most applications
Yes, but only for some applications
No Unsure
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 23
Ponemon Institute: Private and Confidential
y p
What percentage of your IT security budget is dedicated to What percentage of your IT security budget is dedicated to application security measures or activities? application security measures or activities?
45%
38% 39%
30%
35%
40%
25%
16%
24%
20%
25%
30%
16%
11%8%
15%12%
7%
3%5%
10%
15%
2% 3%
0%
5%
Less than 10% 11 to 20% 21 to 30% 31 to 40% 41 to 50% More than 50%
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 24
Ponemon Institute: Private and Confidential
Please choose one statement that best describes Please choose one statement that best describes security priorities in your organization today.security priorities in your organization today.y p y g yy p y g y
50%
34%
44%
38% 39%
35%
40%
45%
22% 23%
20%
25%
30%
0%
5%
10%
15%
0%Network security is a lower priority
than application securityNetwork security is a higher
priority than application securityNetwork security and application
security are equal in terms of security priorities
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 25
Ponemon Institute: Private and Confidential
A l k f t bilit dA lack of accountability and a discrepancy in priorities exists
i t iin many enterprises
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 26
Software security lives in a silo organizationally. Software security lives in a silo organizationally. And no one wants to own it…And no one wants to own it…
44% of developers say there is no collaboration between the
36% security personnel state there’s at least some collaboration betweencollaboration between the
development organization and the security organization.
at least some collaboration between the development organization and the
security organization..
42% of developers say that no one person owns security in the SDLC.
42% of developers say that no one person owns security in the SDLC.
28% of security professionals feel the CISO
should bear the ultimate responsibility for application
28% of security professionals feel the CISO
should bear the ultimate responsibility for applicationsecurity in the SDLC.security in the SDLC. responsibility for application
security.responsibility for application
security.
37% of developers build security into the design or development phase of the
SDLC.
37% of developers build security into the design or development phase of the
SDLC.
60% of security personnel say that security is built into the design or development
phase of the SDLC.
60% of security personnel say that security is built into the design or development
phase of the SDLC.
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 27
What best describes the nature of collaboration between your What best describes the nature of collaboration between your organization’s application development and security teams?organization’s application development and security teams?
50%
36%33%
44%
35%
40%
45%
%
33%
19%
28%
19%20%
25%
30%
35%
12%9%
5%
10%
15%
20%
0%
5%
Significant collaboration Some collaboration Limited collaboration No collaboration
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 28
Ponemon Institute: Private and Confidential
Who in your organization is most responsible for ensuring Who in your organization is most responsible for ensuring security in the application development lifecycle? security in the application development lifecycle?
42%45%
28%26%
30%
35%
40%
20% 20%
26%
22%
11%14%15%
20%
25%
6%
1%
8%11%
2%
0%
5%
10%
0%CIO CISO Head of
application development
Head of quality assurance
No one person has overall
responsibility
Other (please specify)
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 29
Ponemon Institute: Private and Confidential
M bil t h l d i lMobile technology and social media platforms put
i ti t i korganizations at risk
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 30
We haven’t wanted to admit it, but mobile and social media We haven’t wanted to admit it, but mobile and social media apps are here to stay…and we better plan ahead!!apps are here to stay…and we better plan ahead!!
47% of developers say the most serious emerging threat relative to
46% security personnel say the most serious emerging threat relative toserious emerging threat relative to
application security is Web 2.0 or social media applications.
serious emerging threat relative to application security is Web 2.0 or
social media applications..
29% of developers say Web 2.0 social media apps were the 2nd highest root cause of data breaches next to SQL
29% of developers say Web 2.0 social media apps were the 2nd highest root cause of data breaches next to SQL
24% of security pros say Web 2.0 social media apps were the 2nd highest root
cause of data breaches next
24% of security pros say Web 2.0 social media apps were the 2nd highest root
cause of data breaches nextdata breaches next to SQL injection.
data breaches next to SQL injection.
cause of data breaches next to SQL injection.
cause of data breaches next to SQL injection.
60% of security personnel60% of security personnel65% of developers do not test mobile applications in
production, development or Q/A processes.
65% of developers do not test mobile applications in
production, development or Q/A processes.
60% of security personnel do not test mobile
applications in production, development or Q/A
processes
60% of security personnel do not test mobile
applications in production, development or Q/A
processes
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 31
processes.processes.
What do you see as the two most serious emerging threat What do you see as the two most serious emerging threat relative to application security over the next 12 to 24 months?relative to application security over the next 12 to 24 months?
39%Insecure mobile applications
30%
30%
14%
33%Attacker infiltration through Web 2.0 applications
Insecure mobile applications
12%
16%
6%
14%
Hybrid mobile platform/Web 2.0 software vulnerabilities
Social media applications
3%
10%
1%
7%
Other (please specify)
Continuance of web applications
3%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Developer Security
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 32
Ponemon Institute: Private and Confidential
Following are three scenarios about attacks that Following are three scenarios about attacks that may significantly impact your organization. may significantly impact your organization. y g y p y gy g y p y g
51%
40%
51%Attacks through insecure mobile applications will significantly disrupt business operations within my
organization
33%
42%Attacks through insecure applications will significantly
disrupt business operations within my organization
26%Attacks through an insecure network will significantly
disrupt business operations within my organization31%
0% 10% 20% 30% 40% 50% 60%
p p y g
Developer Security
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 33
Ponemon Institute: Private and Confidential
Developer Security
What type of attack methods may have compromised your What type of attack methods may have compromised your organization’s data in a recent breach or security exploit?organization’s data in a recent breach or security exploit?More than one choice permittedMore than one choice permittedMore than one choice permittedMore than one choice permitted
42%SQL injection attack at the application layer
24%
46%
25%
29%Exploit of insecure code through use of a Web 2.0 application
SQL injection attack at the application layer
17%
23%
18%
25%
Privilege escalation attack at the application layer
Cross-site scripting attack at the application layer
8%
13%
5%
19%
Other attack methodology at the application layer
Exploit of insecure software code on a mobile device
19%17%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Unsure
De eloper Sec rit
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 34
Ponemon Institute: Private and Confidential
Developer Security
Does your organization test mobile apps in the Does your organization test mobile apps in the following venues?following venues?M th h i itt dM th h i itt dMore than one choice permittedMore than one choice permitted
60%65%70%
60%
50%
60%
33%
25%30%
40%
12%16%14% 14%
0%
10%
20%
0%Production Development Testing and quality
assuranceNone of the above
Security Developer
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 35
Ponemon Institute: Private and Confidential
Contact InformationContact Information
Ponemon InstitutePonemon Institutewww.ponemon.orgT l 231 938 9900Tel: 231.938.9900
Toll Free: 800.887.3118Michigan HQ: 2308 US 31 N. Traverse City,
MI 49686 [email protected]
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 37
Thank You!Thank You!
Ed Adams, CEOSecurity [email protected]@ y
Pre-register for the report at: htt // it i ti / ithttp://www.securityinnovation.com/security-lab/research.html
Or contact sales at: [email protected]
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 38