Wednesday 28 August 2013

“The State of Application Security” Research report (by Security Innovation and the Ponemon Institute)

Based on a joint research study between Security Innovation and the Ponemon Institute, here is a really interesting report that presents/rationalises the current sorry state of Application Security (in 2013).

If you are a regular reader of my blog, you shouldn't really be shocked by any of this, but, it is a good read and provides good data for management to take Application Security seriously.

Here is a quote from the A must-read report for everyone involved in software development: “The State of Application Security” article:

"...The report is based on a survey by the Ponemon Institute of more than 640 IT professionals in executive level and software engineering or development positions across a variety of industries. The respondents are primarily focused on developing applications for their organizations’ own use. In other words, most of these people are not creating software for commercial sale—but major businesses like insurance companies and banks are using these applications to run their business processes.
The report lists 7 key findings based on the data gathered:

  • Security is inadequately addressed during the software development process. 
  • Most organizations are not testing for application security. 
  • Policies and requirements are often ad-hoc and not integrated into the software development life cycle (SDLC). 
  • The majority of organizations do not have a formal application security training program. 
  • Most development teams are not measured for compliance with regulations and standards. 
  • Most organizations do not identify, measure, or understand application security risks. 
  • Significant disconnect exists between executives and practitioners regarding perceived levels of application security maturity and activities.

To that list I would add:

There has been some interesting coverage on this report, for example:

You can download the report from this page and I'm interested to know what you think of it:

Off-the-record note:  if you don't want to give SI a real (or fake) name + email, you can download the pdf directly from the Thank you page , or read it below :)

(see TM's article on  How to Test for Forceful Browsing Vulnerabilities for more details on the type of vulnerabilities that exist when assets are not property protected by solid authentication layers (which is not really relevant in this case, since that 'download now' form is only a soft-marketing page))