Post on 12-Apr-2017
transcript
Sponsored by IBM Security
Dr. Larry Ponemon & Mr. Neil K. Jones
March 2016
How to Make Application Security a
Strategically Managed Discipline
The sampling frame is composed of 16,373
individuals in the United States who are involved
in application security in their organizations.
March 2016 Ponemon Institute: Private and Confidential 1
Sample response Freq Pct%
Sampling frame 16,373 100.0%
Total returns 716 4.4%
Post-screened and rejected surveys 86 0.5%
Final sample 630 3.8%
What’s wrong with application security
risk management? Strongly agree and agree responses
March 2016 Ponemon Institute: Private and Confidential 2
67%65%
0%
10%
20%
30%
40%
50%
60%
70%
80%
No visibility into the overall state of applicationsecurity
Application security is fragmented and carried out ata low level
3
Executive support of application security
initiatives
March 2016 Ponemon Institute: Private and Confidential
Perceptions about application security
risk management Strongly agree and agree responses combined
March 2016 Ponemon Institute: Private and Confidential 4
38%
56%
69%
0% 10% 20% 30% 40% 50% 60% 70% 80%
More control over applications developed in-houseversus off-the-shelf software
Application security is harder to achieve than other areasof security
My organization does not know all applications ordatabases that are currently active
What best describes your organization’s
application security risk management
process?
March 2016 Ponemon Institute: Private and Confidential 5
9%
9%
15%
18%
21%
28%
0% 5% 10% 15% 20% 25% 30%
Informal process that is customized by applicationcriticality
Ad hoc process
Formal process that is applied consistently across theenterprise
Informal process that is applied consistently across theenterprise
Formal process that is customized by applicationcriticality
No process
Who owns your organization’s
application security risk management
process?
March 2016 Ponemon Institute: Private and Confidential 6
2%
6%
9%
15%
20%
24%
24%
0% 5% 10% 15% 20% 25% 30%
Other
Head of quality assurance
CISO or CSO
Head of software development
No one person or department
CIO or CTO
Business units (LOB)
What challenges keep your
organization’s application security
posture from being fully effective?Three responses permitted
March 2016 Ponemon Institute: Private and Confidential 7
18%
19%
27%
30%
44%
46%
56%
60%
0% 10% 20% 30% 40% 50% 60% 70%
Lack of effective testing tools
Not considered an organizational priority
Lack of clear leadership
Insufficient budget (money)
Lack of in-house expertise
Growth in application security vulnerabilities
Pressure to release new applications
Management underestimates risk
8
Evolving application security threat
landscape
March 2016 Ponemon Institute: Private and Confidential
What are your organization’s top
application security risk management
objectives? Top three responses
March 2016 Ponemon Institute: Private and Confidential 9
3%
11%
21%
23%
48%
62%
63%
69%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Secure critical infrastructure
Preserve brand and reputation
Prevent attacks
Protect intellectual property (e.g., trade secrets, sourcecode, etc.)
Comply with regulations and legal mandates
Minimize business disruption
Minimize downtime
Where do security compromises most
likely occur?100 points allocated based on the level of risk
presented by each layer
March 2016 Ponemon Institute: Private and Confidential 10
32
25
17
12
9
5
-
5
10
15
20
25
30
35
Applications Network Humannegligence
Data Physical Operatingsystems
How significant are SQL Injection and
cross-site scripting threats?7+ on a scale of 1 = no threat to 10 = significant threat
March 2016 Ponemon Institute: Private and Confidential 11
47%45%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Cross-Site Scripting threat SQL Injection threat
How effective is your organization in
stopping or curtailing security
compromises or exploits in software
applications? 1 = not effective to 10 = very effective, extrapolated value = 4.7
March 2016 Ponemon Institute: Private and Confidential 12
20%
31%
24%
17%
8%
0%
5%
10%
15%
20%
25%
30%
35%
1 or 2 3 or 4 5 or 6 7 or 8 9 or 10
13
Reality of application security risk
management for today’s organization
March 2016 Ponemon Institute: Private and Confidential
What are the essential and most important
control activities to establish a strong
application security posture?Essential and Very important response combined
March 2016 Ponemon Institute: Private and Confidential 14
75%
72%
76%
54%
53%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Obtain visibility into the state of application securityacross the enterprise
Set priorities for testing and remediation that align withbusiness risks and strategies
Allocate resources to help prevent the most likely andmost harmful data breaches
Measure progress toward application security goals
Continuously monitor the organization’s overall risk posture
What steps does your organization take
to manage application security risk? Fully and partially implemented
March 2016 Ponemon Institute: Private and Confidential 15
36%
44%
49%
37%
25%
0% 10% 20% 30% 40% 50% 60%
Create an inventory of application assets and assesstheir business impact
Test the application for vulnerabilities
Determine the risks and prioritize vulnerabilities
Remediate the risks
Measure progress and demonstrate compliance
Is application security risk within your
organization increasing, decreasing or
staying the same?
March 2016 Ponemon Institute: Private and Confidential 16
27%
20%
40%
11%
2%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Significantlyincreasing
Increasing Staying the same Decreasing Significantlydecreasing
What best describes the maturity level
of your organization’s application
security risk management program
March 2016 Ponemon Institute: Private and Confidential 17
20%
25%
30%
14%
11%
0% 5% 10% 15% 20% 25% 30% 35%
We have not launched a security risk managementprogram
Early stage – most program activities have not been planned or deployed
Middle stage – program activities are planned and defined, but only partially deployed
Late-middle stage – many program activities are deployed across the enterprise
Mature stage – program mission is fully accomplished
What methods does your organization
deploy to test applications for
vulnerabilities? More than one response permitted
March 2016 Ponemon Institute: Private and Confidential 18
35%
5%
18%
23%
36%
39%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
None of the above
Other
Interactive security testing
Mobile application security testing
Dynamic application security testing
Static application security testing
What best describes your organizations’
application testing cycle?
March 2016 Ponemon Institute: Private and Confidential 19
35%
20%
5%
8%
7%
9%
8%
2%
6%
0% 5% 10% 15% 20% 25% 30% 35% 40%
No planned cycle
Only after new code is added
More than yearly
Yearly
Quarterly
Monthly
Weekly
Daily
Continuously
What steps are taken to test for
vulnerabilities in applications?
March 2016 Ponemon Institute: Private and Confidential 20
4%
14%
21%
25%
29%
33%
46%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Other
Testing is conducted throughout the applicationdevelopment life cycle
Testing method scales efficiently from a few to manyapplications
Ensuring tests accurately identify actual defects andeliminate false positives
Covering the most current application technologies
Handling mobile application vulnerabilities
None of these steps taken
What steps does your organization take
to remediate the risks associated with
vulnerable applications?
March 2016 Ponemon Institute: Private and Confidential 21
48%
3%
20%
24%
29%
36%
0% 10% 20% 30% 40% 50% 60%
None of the above
Other
Require best practices for secure authentication inapplication specifications so that issues are visible to
developers and QA engineers
Create test plans and test scripts to detect authenticationdefects early in the development cycle
Provide code libraries or templates that address keyissues
Ensure developers receive training on how to secure thecoding process
22
Internal barriers to application security
excellence
March 2016 Ponemon Institute: Private and Confidential
Perceptions about application
developers & application security risk Strongly agree and agree responses combined
March 2016 Ponemon Institute: Private and Confidential 23
35%
50%
70%
73%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Addressing critical vulnerabilities is most effective in theearly stage of the application development life cycle
Developers view security as a hindrance to releasingnew applications
My organization does not allocate enough resources toensure business-critical apps are secure
Developers lack the knowledge or skill to address criticalvulnerabilities in the application development life cycle
What are the most important application
security risks to assess? 1 = most important to 5 = least important
March 2016 Ponemon Institute: Private and Confidential 24
4.55
3.87
3.05
1.92
1.61
1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00
Infrastructure complexity
Maturity (e.g., length of time in production)
Platform (e.g., web/client-server/desktop mobile)
Functional complexity
Business use of the application (e.g., customer facing,partner facing or internal)
How likely would your organization
cease or discontinue the renewal of an
agreement with an outsourced developer
that is unable to demonstrate sufficient
security practices?
March 2016 Ponemon Institute: Private and Confidential 25
16%
34%
28%
22%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Very likely Likely Unlikely Never
What attributes are most important in
assessing the impact of risk to the
organization? 1 = most important to 5 = least important
March 2016 Ponemon Institute: Private and Confidential 27
4.46
3.86
2.96
2.18
1.52
1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00
Potential damage to the organization’s reputation
Legal and contractual obligations
Compliance requirements
Use/processing of high value intellectual property
Use/processing of personally identifiable information(PII)
Budget for application security today
and 12 months from now?Extrapolated values for today = 18 percent;
Extrapolated values in 12 months = 23 percent
March 2016 Ponemon Institute: Private and Confidential 28
9%
15%
19%
27%
18%
11%
1%0%
6%
18%
29%
22%
24%
1%
0%
5%
10%
15%
20%
25%
30%
35%
< 5% 5 to 10% 11 to 15% 16 to 20% 21 to 25% 26 to 50% More than 50%
Spending on application security activities today
Spending on application security activities 12 months from now
Recommendations to enhance the
security risk management process
• Obtain visibility into the state of application security across the enterprise by creating an inventory of application
assets and assessing their business impact.
• Set priorities for testing and remediation that will align with business risks and strategies. Create an application
profile template that can be used to capture critical attributes of every application in the enterprise, including the
application, development team and business unit responsible for maintaining it.
• Allocate resources to help prevent the most likely and most harmful data breaches. Specifically, those applications
that use and/or process personally identifiable information and high value intellectual property should be a priority
for risk assessment, testing and remediation.
• Measure progress toward application security goals. Progress means improving the overall risk posture of the
organization and allocating resources where they will have the greatest impact in reducing business risk.
• Continuously monitor the organization’s overall risk posture and determine where additional investments in
security could reduce further risk.
• Effectively engage the application development and risk management teams in the organization’s application
security initiatives so that it is not just an IT project. Initiate this collaboration as early in the development process
as possible and provide routine updates to executive management.
• Educate developers, users and executives about the most significant threats through the review of threat data
released by organizations like OWASP and others.
March 2016 Ponemon Institute: Private and Confidential 30
To Learn More
SecurityIntelligence.com
Blog
Access the Free Report
Now
March 2016 Ponemon Institute: Private and Confidential 31
Caveats
There are inherent limitations to survey research that need to be carefully considered
before drawing inferences from findings. The following items are specific limitations that
are germane to most web-based surveys.
• Non-response bias: The current findings are based on a sample of survey returns.
We sent surveys to a representative sample of individuals, resulting in a large number
of usable returned responses. Despite non-response tests, it is always possible that
individuals who did not participate are substantially different in terms of underlying
beliefs from those who completed the instrument.
• Sampling-frame bias: The accuracy is based on contact information and the degree
to which the list is representative of individuals in the United States who are involved
in application security in their organizations. We also acknowledge that the results
may be biased by external events such as media coverage. Finally, because we used
a web-based collection method, it is possible that non-web responses by mailed
survey or telephone call would result in a different pattern of findings.
• Self-reported results: The quality of survey research is based on the integrity of
confidential responses received from subjects. While certain checks and balances
can be incorporated into the survey process, there is always the possibility that a
subject did not provide a truthful response.
March 2016 Ponemon Institute: Private and Confidential 32