how to make application security a strategically managed discipline

Sponsored by IBM Security

Dr. Larry Ponemon & Mr. Neil K. Jones

March 2016

How to Make Application Security a

Strategically Managed Discipline

The sampling frame is composed of 16,373

individuals in the United States who are involved

in application security in their organizations.

March 2016 Ponemon Institute: Private and Confidential 1

Sample response Freq Pct%

Sampling frame 16,373 100.0%

Total returns 716 4.4%

Post-screened and rejected surveys 86 0.5%

Final sample 630 3.8%

What’s wrong with application security

risk management? Strongly agree and agree responses


67%65%

0%

10%

20%

30%

40%

50%

60%

70%

80%

No visibility into the overall state of applicationsecurity

Application security is fragmented and carried out ata low level

3

Executive support of application security

initiatives

March 2016 Ponemon Institute: Private and Confidential

Perceptions about application security

risk management Strongly agree and agree responses combined


38%

56%

69%

0% 10% 20% 30% 40% 50% 60% 70% 80%

More control over applications developed in-houseversus off-the-shelf software

Application security is harder to achieve than other areasof security

My organization does not know all applications ordatabases that are currently active

What best describes your organization’s

application security risk management

process?


9%

9%

15%

18%

21%

28%

0% 5% 10% 15% 20% 25% 30%

Informal process that is customized by applicationcriticality

Ad hoc process

Formal process that is applied consistently across theenterprise

Informal process that is applied consistently across theenterprise

Formal process that is customized by applicationcriticality

No process

Who owns your organization’s


process?


2%

6%

9%

15%

20%

24%

24%

0% 5% 10% 15% 20% 25% 30%

Other

Head of quality assurance

CISO or CSO

Head of software development

No one person or department

CIO or CTO

Business units (LOB)

What challenges keep your

organization’s application security

posture from being fully effective?Three responses permitted


18%

19%

27%

30%

44%

46%

56%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Lack of effective testing tools

Not considered an organizational priority

Lack of clear leadership

Insufficient budget (money)

Lack of in-house expertise

Growth in application security vulnerabilities

Pressure to release new applications

Management underestimates risk

8

Evolving application security threat

landscape


What are your organization’s top


objectives? Top three responses


3%

11%

21%

23%

48%

62%

63%

69%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

Secure critical infrastructure

Preserve brand and reputation

Prevent attacks

Protect intellectual property (e.g., trade secrets, sourcecode, etc.)

Comply with regulations and legal mandates

Minimize business disruption

Minimize downtime

Where do security compromises most

likely occur?100 points allocated based on the level of risk

presented by each layer


32

25

17

12

9

5

-

5

10

15

20

25

30

35

Applications Network Humannegligence

Data Physical Operatingsystems

How significant are SQL Injection and

cross-site scripting threats?7+ on a scale of 1 = no threat to 10 = significant threat


47%45%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Cross-Site Scripting threat SQL Injection threat

How effective is your organization in

stopping or curtailing security

compromises or exploits in software

applications? 1 = not effective to 10 = very effective, extrapolated value = 4.7


20%

31%

24%

17%

8%

0%

5%

10%

15%

20%

25%

30%

35%

1 or 2 3 or 4 5 or 6 7 or 8 9 or 10

13

Reality of application security risk

management for today’s organization


What are the essential and most important

control activities to establish a strong

application security posture?Essential and Very important response combined


75%

72%

76%

54%

53%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Obtain visibility into the state of application securityacross the enterprise

Set priorities for testing and remediation that align withbusiness risks and strategies

Allocate resources to help prevent the most likely andmost harmful data breaches

Measure progress toward application security goals

Continuously monitor the organization’s overall risk posture

What steps does your organization take

to manage application security risk? Fully and partially implemented


36%

44%

49%

37%

25%

0% 10% 20% 30% 40% 50% 60%

Create an inventory of application assets and assesstheir business impact

Test the application for vulnerabilities

Determine the risks and prioritize vulnerabilities

Remediate the risks

Measure progress and demonstrate compliance

Is application security risk within your

organization increasing, decreasing or

staying the same?


27%

20%

40%

11%

2%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Significantlyincreasing

Increasing Staying the same Decreasing Significantlydecreasing

What best describes the maturity level

of your organization’s application

security risk management program


20%

25%

30%

14%

11%

0% 5% 10% 15% 20% 25% 30% 35%

We have not launched a security risk managementprogram

Early stage – most program activities have not been planned or deployed

Middle stage – program activities are planned and defined, but only partially deployed

Late-middle stage – many program activities are deployed across the enterprise

Mature stage – program mission is fully accomplished

What methods does your organization

deploy to test applications for

vulnerabilities? More than one response permitted


35%

5%

18%

23%

36%

39%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

None of the above

Other

Interactive security testing

Mobile application security testing

Dynamic application security testing

Static application security testing

What best describes your organizations’

application testing cycle?


35%

20%

5%

8%

7%

9%

8%

2%

6%

0% 5% 10% 15% 20% 25% 30% 35% 40%

No planned cycle

Only after new code is added

More than yearly

Yearly

Quarterly

Monthly

Weekly

Daily

Continuously

What steps are taken to test for

vulnerabilities in applications?


4%

14%

21%

25%

29%

33%

46%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Other

Testing is conducted throughout the applicationdevelopment life cycle

Testing method scales efficiently from a few to manyapplications

Ensuring tests accurately identify actual defects andeliminate false positives

Covering the most current application technologies

Handling mobile application vulnerabilities

None of these steps taken

What steps does your organization take

to remediate the risks associated with

vulnerable applications?


48%

3%

20%

24%

29%

36%

0% 10% 20% 30% 40% 50% 60%

None of the above

Other

Require best practices for secure authentication inapplication specifications so that issues are visible to

developers and QA engineers

Create test plans and test scripts to detect authenticationdefects early in the development cycle

Provide code libraries or templates that address keyissues

Ensure developers receive training on how to secure thecoding process

22

Internal barriers to application security

excellence


Perceptions about application

developers & application security risk Strongly agree and agree responses combined


35%

50%

70%

73%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Addressing critical vulnerabilities is most effective in theearly stage of the application development life cycle

Developers view security as a hindrance to releasingnew applications

My organization does not allocate enough resources toensure business-critical apps are secure

Developers lack the knowledge or skill to address criticalvulnerabilities in the application development life cycle

What are the most important application

security risks to assess? 1 = most important to 5 = least important


4.55

3.87

3.05

1.92

1.61

1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00

Infrastructure complexity

Maturity (e.g., length of time in production)

Platform (e.g., web/client-server/desktop mobile)

Functional complexity

Business use of the application (e.g., customer facing,partner facing or internal)

How likely would your organization

cease or discontinue the renewal of an

agreement with an outsourced developer

that is unable to demonstrate sufficient

security practices?


16%

34%

28%

22%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Very likely Likely Unlikely Never

26

Don’t give up the ship


What attributes are most important in

assessing the impact of risk to the

organization? 1 = most important to 5 = least important


4.46

3.86

2.96

2.18

1.52

1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00

Potential damage to the organization’s reputation

Legal and contractual obligations

Compliance requirements

Use/processing of high value intellectual property

Use/processing of personally identifiable information(PII)

Budget for application security today

and 12 months from now?Extrapolated values for today = 18 percent;

Extrapolated values in 12 months = 23 percent


9%

15%

19%

27%

18%

11%

1%0%

6%

18%

29%

22%

24%

1%

0%

5%

10%

15%

20%

25%

30%

35%

< 5% 5 to 10% 11 to 15% 16 to 20% 21 to 25% 26 to 50% More than 50%

Spending on application security activities today

Spending on application security activities 12 months from now

29

Conclusion and recommendations


Recommendations to enhance the

security risk management process

• Obtain visibility into the state of application security across the enterprise by creating an inventory of application

assets and assessing their business impact.

• Set priorities for testing and remediation that will align with business risks and strategies. Create an application

profile template that can be used to capture critical attributes of every application in the enterprise, including the

application, development team and business unit responsible for maintaining it.

• Allocate resources to help prevent the most likely and most harmful data breaches. Specifically, those applications

that use and/or process personally identifiable information and high value intellectual property should be a priority

for risk assessment, testing and remediation.

• Measure progress toward application security goals. Progress means improving the overall risk posture of the

organization and allocating resources where they will have the greatest impact in reducing business risk.

• Continuously monitor the organization’s overall risk posture and determine where additional investments in

security could reduce further risk.

• Effectively engage the application development and risk management teams in the organization’s application

security initiatives so that it is not just an IT project. Initiate this collaboration as early in the development process

as possible and provide routine updates to executive management.

• Educate developers, users and executives about the most significant threats through the review of threat data

released by organizations like OWASP and others.


To Learn More

SecurityIntelligence.com

Blog

Access the Free Report

Now


https://securityintelligence.com/ponemon-institute-study-most-organizations-dont-know-what-they-do-know-when-assessing-application-security-risk/

https://www-01.ibm.com/marketing/iwm/dre/signup?source=ibm-WW_Security_Organic&S_PKG=ov44211&S_TACT=000000MX&S_OFF_CD=10000218

Caveats

There are inherent limitations to survey research that need to be carefully considered

before drawing inferences from findings. The following items are specific limitations that

are germane to most web-based surveys.

• Non-response bias: The current findings are based on a sample of survey returns.

We sent surveys to a representative sample of individuals, resulting in a large number

of usable returned responses. Despite non-response tests, it is always possible that

individuals who did not participate are substantially different in terms of underlying

beliefs from those who completed the instrument.

• Sampling-frame bias: The accuracy is based on contact information and the degree

to which the list is representative of individuals in the United States who are involved

in application security in their organizations. We also acknowledge that the results

may be biased by external events such as media coverage. Finally, because we used

a web-based collection method, it is possible that non-web responses by mailed

survey or telephone call would result in a different pattern of findings.

• Self-reported results: The quality of survey research is based on the integrity of

confidential responses received from subjects. While certain checks and balances

can be incorporated into the survey process, there is always the possibility that a

subject did not provide a truthful response.


Questions?

Ponemon Institute

Toll Free: 800.887.3118

Michigan HQ: 2308 US 31 N.

Traverse City, MI 49686 USA

[email protected]

Ponemon Institute: Private and Confidential

how to make application security a strategically managed discipline

Technology