Oct 10, 2012
Research: 2012 Application Security Survey
Given that application vulnerabilities are the single largest contributor to breaches, most organizations have some type of application security program in place. Too bad they aren’t usually effective. We waste money on the tool of the moment instead of building repeatable processes. We spend too much time trying to convert developers into security experts, and we focus too closely on trying to eradicate every application vulnerability instead of working smart with mitigation—think Web application firewalls and OS hardening. The result: Most organizations spin their wheels and keep throwing money at security projects that don’t significantly reduce risk.
We asked the 336 respondents to our InformationWeek 2012 Application Security Survey using, building or considering a secure software development life cycle to rate their application security technology and training programs’ effectiveness in accomplishing six key goals. A reduction in the number of application security vulnerabilities that make it into production code came in at fifth place, just a tick above reducing the number of application vulnerabilities found by tools. That’s not very comforting.
What must we do differently? For starters, say someone is able to break into an application. We need to perform defense in depth properly, so the attacker cannot leverage that entry for gain, such as privilege escalation or theft of intellectual property or personally identifiable information. We need to put supporting systems in place, then focus on tightly integrating them into the SDLC. We need to measure and trend a limited but highly relevant set of metrics.
In this report, we’ll analyze our survey findings and discuss how CIOs and security teams can work with developers and QA to build a united front against application attacks. (R3941211)
Survey Name InformationWeek 2012 Application Security Survey
Survey Date November 2011
Region North America
Number of Respondents 475
Purpose To determine use of secure application development methods.
Methodology InformationWeek surveyed business technology decision-makers at North American organizations. The survey was conducted online, and respondents were recruited via an email invitation containing an embedded link to the survey. The email invitation was sent to qualified InformationWeek subscribers.