This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
2012 Study on Application Security:2012 Study on Application Security:A S f IT S it d D lA S f IT S it d D lA Survey of IT Security and DevelopersA Survey of IT Security and Developers
• The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and p p y p y pgovernment.
• The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizationspublic sectors and verifies the privacy and data protection practices of organizations.
• Ponemon Institute is a full member of CASRO (Council of American Survey Research organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.
• The Institute has assembled more than 60+ leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principlesthe RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.
• The majority of active participants are privacy or information security leaders.
About this researchAbout this research• This research was conducted to understand the perceptions both security
and development practitioners have about application security maturity
• Key topics include:
– Adopted processes considered most effective– Adoption and use of technologies that are affecting the state of
application security– Gaps between people, process and technology and the affect they have
on the enterprise– Different perceptions security and development practitioners have about
application maturity readiness and accountabilityapplication maturity, readiness and accountability– Threats to the application layer, including emerging platforms– Application-layer links to data breaches
Attributions about the maturity of IT Attributions about the maturity of IT security activitiessecurity activitiessecurity activitiessecurity activities
58%
44%
38%
Security technologies are adequate in protecting our information
Application security is a top priority in my organization
50%
53%
54%
39%
37%
44%
IT security strategy is fully aligned with the business strategy
Security & data protection policies are well‐defined and fully understood by employees
Security technologies are adequate in protecting our information assets and IT infrastructure
46%
48%
50%
33%
41%
The IT security function is able to prevent serious cyber attacks such as advanced persistent threats
Appropriate steps are taken to comply with the leading IT security standards
y gy y g gy
41%
42%
35%
35%
31%
IT security can hire and retain knowledgeable and experienced
The IT security leader is a member of the executive team
IT security responds quickly to new challenges and issues
36%
40%
34%
35%
0% 10% 20% 30% 40% 50% 60% 70%
There are ample resources to ensure all IT security requirements are accomplished
IT security can hire and retain knowledgeable and experienced security practitioners
Please choose one statement that best describes Please choose one statement that best describes security threats in your organization todaysecurity threats in your organization todayy y g yy y g y
41%
44%
41%Human and code-induced threats are equal in
terms of inherent security risk
43%
21%Human factor threats present a greater inherent
security risk than code-induced threats
13%
38%Code-induced threats present a greater inherent
Does your organization have a process for ensuring that Does your organization have a process for ensuring that security is built into new applications?security is built into new applications?
46%50%
36%
43%
33%
46%
35%
40%
45%
21%21%
15%
20%
25%
30%
0%
5%
10%
15%
Yes, we have a standardized process
Yes, we have a non-standardized or “ad hoc” process
In your opinion, is security adequately emphasized In your opinion, is security adequately emphasized during the application development lifecycle?during the application development lifecycle?g pp p yg pp p y
Where in the application development lifecycle Where in the application development lifecycle does your organization build in security features?does your organization build in security features?M th h i itt dM th h i itt dMore than one choice permittedMore than one choice permitted
35%31%
29% 30%
25%
30%
17%
13%
19% 18%
21%
12%15%
20%
10%12%
5%
10%
0%Design phase Development phase Launch phase Post-launch phase Unsure
Organizations can’t identify a starting point…Organizations can’t identify a starting point…And are they looking at the other organization to get it done.And are they looking at the other organization to get it done.
47% of developers state that there is no formal mandate in place to 29% of security personnel state that no formal mandate in place to
remediate vulnerable application code.
y pthere is no formal mandate in place to remediate vulnerable application code.
51% of developers have no training in application
security.
51% of developers have no training in application
security.
51% of security personnel have no training in application security.
51% of security personnel have no training in application security.security.security. application security.application security.
54% of developers feel54% of developers feel 46% of security personnel46% of security personnel54% of developers feel fixing bugs/patching
applications is a drain on their company’s time and
budget
54% of developers feel fixing bugs/patching
applications is a drain on their company’s time and
budget
46% of security personnel say the major attack
methodology in breaches over the past 24 months is
SQL injection
46% of security personnel say the major attack
methodology in breaches over the past 24 months is
How does your organization mandate the How does your organization mandate the remediation of vulnerable code? remediation of vulnerable code? O b t h iO b t h iOne best choiceOne best choice
29%47%No formal mandate to remediate vulnerable code
exists
28%
29%
9%It’s driven through the security organization, where the development organization remediates according
to best practices
exists
11%
21%
13%
19%
Compliance mandates drive the process and the risk group is responsible for pushing the directive
Development or engineering drives the process without any mandate from security
6%
11%
5%External auditors provide the mandate, which then gets pushed down through the corporate risk group
Has your organization deployed a training Has your organization deployed a training program on application security?program on application security?p g pp yp g pp y
What does your development team use to ensure they are What does your development team use to ensure they are successful in remediating potentially vulnerable code or fixing bugs?successful in remediating potentially vulnerable code or fixing bugs?More than one choice permittedMore than one choice permittedpp
What type of attack methods may have compromised your What type of attack methods may have compromised your organization’s data in a recent breach or security exploit?organization’s data in a recent breach or security exploit?More than one choice permittedMore than one choice permittedMore than one choice permittedMore than one choice permitted
42%SQL injection attack at the application layer
23%
24%
46%
25%
29%
Cross-site scripting attack at the application layer
Exploit of insecure code through use of a Web 2.0 application
SQL injection attack at the application layer
13%
17%
23%
19%
18%
Exploit of insecure software code on a mobile device
Privilege escalation attack at the application layer
Breaches continue to happen at the application level. Breaches continue to happen at the application level. Yet budget prioritization leans toward the network…Yet budget prioritization leans toward the network…
Two-thirds of developers have experienced between 1 10 breaches
Half of security personnel state experienced between 1 10 breachesexperienced between 1-10 breaches
in the past 24 months due to insecure applications.
experienced between 1-10 breaches in the past 24 months due to insecure
applications..
15% of developers feel all of their organization’s
applications meet security l ti
15% of developers feel all of their organization’s
applications meet security l ti
12% of security personnel feel all of their
organization’s applications t it l ti
12% of security personnel feel all of their
organization’s applications t it l tiregulations.regulations. meet security regulations.meet security regulations.
16% of developers don’t16% of developers don’t 19% of security personnel19% of security personnel16% of developers don t know if a breach has even
occurred within their organization at the application layer
16% of developers don t know if a breach has even
occurred within their organization at the application layer
19% of security personnel don’t know if a breach has even occurred within their
organization at the application layer
19% of security personnel don’t know if a breach has even occurred within their
How often over the past 24 months has your organization How often over the past 24 months has your organization experienced a data breach or security exploit as a result of experienced a data breach or security exploit as a result of an application being compromised or hacked?an application being compromised or hacked?an application being compromised or hacked?an application being compromised or hacked?
To the best of your knowledge, are your organization’s To the best of your knowledge, are your organization’s applications compliant with all regulations for privacy, data applications compliant with all regulations for privacy, data protection and information security?protection and information security?protection and information security?protection and information security?
What percentage of your IT security budget is dedicated to What percentage of your IT security budget is dedicated to application security measures or activities? application security measures or activities?
45%
38% 39%
30%
35%
40%
25%
16%
24%
20%
25%
30%
16%
11%8%
15%12%
7%
3%5%
10%
15%
2% 3%
0%
5%
Less than 10% 11 to 20% 21 to 30% 31 to 40% 41 to 50% More than 50%
Please choose one statement that best describes Please choose one statement that best describes security priorities in your organization today.security priorities in your organization today.y p y g yy p y g y
50%
34%
44%
38% 39%
35%
40%
45%
22% 23%
20%
25%
30%
0%
5%
10%
15%
0%Network security is a lower priority
than application securityNetwork security is a higher
priority than application securityNetwork security and application
security are equal in terms of security priorities
Software security lives in a silo organizationally. Software security lives in a silo organizationally. And no one wants to own it…And no one wants to own it…
44% of developers say there is no collaboration between the
36% security personnel state there’s at least some collaboration betweencollaboration between the
development organization and the security organization.
at least some collaboration between the development organization and the
security organization..
42% of developers say that no one person owns security in the SDLC.
42% of developers say that no one person owns security in the SDLC.
28% of security professionals feel the CISO
should bear the ultimate responsibility for application
28% of security professionals feel the CISO
should bear the ultimate responsibility for applicationsecurity in the SDLC.security in the SDLC. responsibility for application
security.responsibility for application
security.
37% of developers build security into the design or development phase of the
SDLC.
37% of developers build security into the design or development phase of the
SDLC.
60% of security personnel say that security is built into the design or development
phase of the SDLC.
60% of security personnel say that security is built into the design or development
What best describes the nature of collaboration between your What best describes the nature of collaboration between your organization’s application development and security teams?organization’s application development and security teams?
50%
36%33%
44%
35%
40%
45%
%
33%
19%
28%
19%20%
25%
30%
35%
12%9%
5%
10%
15%
20%
0%
5%
Significant collaboration Some collaboration Limited collaboration No collaboration
Who in your organization is most responsible for ensuring Who in your organization is most responsible for ensuring security in the application development lifecycle? security in the application development lifecycle?
We haven’t wanted to admit it, but mobile and social media We haven’t wanted to admit it, but mobile and social media apps are here to stay…and we better plan ahead!!apps are here to stay…and we better plan ahead!!
47% of developers say the most serious emerging threat relative to
46% security personnel say the most serious emerging threat relative toserious emerging threat relative to
application security is Web 2.0 or social media applications.
serious emerging threat relative to application security is Web 2.0 or
social media applications..
29% of developers say Web 2.0 social media apps were the 2nd highest root cause of data breaches next to SQL
29% of developers say Web 2.0 social media apps were the 2nd highest root cause of data breaches next to SQL
24% of security pros say Web 2.0 social media apps were the 2nd highest root
cause of data breaches next
24% of security pros say Web 2.0 social media apps were the 2nd highest root
cause of data breaches nextdata breaches next to SQL injection.
data breaches next to SQL injection.
cause of data breaches next to SQL injection.
cause of data breaches next to SQL injection.
60% of security personnel60% of security personnel65% of developers do not test mobile applications in
production, development or Q/A processes.
65% of developers do not test mobile applications in
What do you see as the two most serious emerging threat What do you see as the two most serious emerging threat relative to application security over the next 12 to 24 months?relative to application security over the next 12 to 24 months?
39%Insecure mobile applications
30%
30%
14%
33%Attacker infiltration through Web 2.0 applications
Insecure mobile applications
12%
16%
6%
14%
Hybrid mobile platform/Web 2.0 software vulnerabilities
Following are three scenarios about attacks that Following are three scenarios about attacks that may significantly impact your organization. may significantly impact your organization. y g y p y gy g y p y g
51%
40%
51%Attacks through insecure mobile applications will significantly disrupt business operations within my
organization
33%
42%Attacks through insecure applications will significantly
disrupt business operations within my organization
26%Attacks through an insecure network will significantly
disrupt business operations within my organization31%
What type of attack methods may have compromised your What type of attack methods may have compromised your organization’s data in a recent breach or security exploit?organization’s data in a recent breach or security exploit?More than one choice permittedMore than one choice permittedMore than one choice permittedMore than one choice permitted
42%SQL injection attack at the application layer
24%
46%
25%
29%Exploit of insecure code through use of a Web 2.0 application
SQL injection attack at the application layer
17%
23%
18%
25%
Privilege escalation attack at the application layer
Cross-site scripting attack at the application layer
8%
13%
5%
19%
Other attack methodology at the application layer
Exploit of insecure software code on a mobile device
Does your organization test mobile apps in the Does your organization test mobile apps in the following venues?following venues?M th h i itt dM th h i itt dMore than one choice permittedMore than one choice permitted