If you are a regular reader of my blog, you shouldn't really be shocked by any of this, but, it is a good read and provides good data for management to take Application Security seriously.
Here is a quote from the A must-read report for everyone involved in software development: “The State of Application Security” article:
"...The report is based on a survey by the Ponemon Institute of more than 640 IT professionals in executive level and software engineering or development positions across a variety of industries. The respondents are primarily focused on developing applications for their organizations’ own use. In other words, most of these people are not creating software for commercial sale—but major businesses like insurance companies and banks are using these applications to run their business processes.
The report lists 7 key findings based on the data gathered:
- Security is inadequately addressed during the software development process.
- Most organizations are not testing for application security.
- Policies and requirements are often ad-hoc and not integrated into the software development life cycle (SDLC).
- The majority of organizations do not have a formal application security training program.
- Most development teams are not measured for compliance with regulations and standards.
- Most organizations do not identify, measure, or understand application security risks.
- Significant disconnect exists between executives and practitioners regarding perceived levels of application security maturity and activities.
To that list I would add:
- 'Few organizations have strong knowledge on how their core/mission-critical applications actually work (and are able visualise its behaviour/attack-surface)'
- 'Organizations/developers should demand that Application Security companies/services deliver security knowledge via Automated-Tests instead of PDFs' (on this topic, which I'm very passionate about, see my posts: We need to give our clients 'scripts' not pdfs , Security evolution into Engineering Productivity , No more PDFs with Security Findings)
There has been some interesting coverage on this report, for example:
- A bridge too far: Assessing the current state of application security (Tech Republic)
- Study finds big gap about app security between execs and IT staffers (CSO online)
- Execs, Technical Staff Don't See Eye To Eye In Secure Application Development Progress (Dark Reading)
- Datacenters Face Huge App Security Gap (DataCenter Acceleration)
You can download the report from this page and I'm interested to know what you think of it:
Off-the-record note: if you don't want to give SI a real (or fake) name + email, you can download the pdf directly from the Thank you page , or read it below :)
(see TM's article on How to Test for Forceful Browsing Vulnerabilities for more details on the type of vulnerabilities that exist when assets are not property protected by solid authentication layers (which is not really relevant in this case, since that 'download now' form is only a soft-marketing page))
