You are here

You are here

SANS State of App Sec report: It's not just about dev teams

John P. Mello Jr. Freelance writer

Application security reaches well beyond your development team—that's the key finding in a recent report of application security released by the SANS Institute.

The 2016 State of Application Security: Skills, Configurations and Components, based on a survey of 475 security professionals, concludes that application security programs must be a coordinated effort between developers, architects, and system administrators, and security must be integrated earlier in the application development lifecycle. The reason: Software vulnerabilities are often not attributable to the development team, but rooted in configuration issues or third-party components.

App-centric security a growing focus

Application security finally appears to be catching on with organizations, according to the report, which was written by SANS Institute dean of research Johannes Ullrich. According to the report, more than two-thirds of the survey participants (67%) have at least partly integrated application security into their overall security, risk management, and incident response programs, while about one-sixth of the organizations (17%) have achieved full integration into their enterprise security schemes.

Security professionals recognize the need for application security programs and are working to improve their approaches, the report said, "despite a lack of the necessary skills, lack of funding and management buy-in, and silos between departments hampering AppSec programs."

Organizations also appear to be getting the message about the threat that third-party vendors can pose to their operations. Four out of ten respondents (40%) said that they have documented approaches and policies in place to which third-party software vendors must adhere. That's a jump of 12 percentage points from the 2015 survey, when only 28% of those polled had any kind of risk management program for vendors.

"Application development companies are asked to provide long-term support to provide security updates," the report explained. "The total cost to create software may depend on the cost of these long-term support agreements."

The report advised application developers, "To correctly estimate and reduce these costs, application development companies need to invest more up front to limit their exposure to security vulnerabilities."

App sec programs maturing

Overall, 63% of enterprises said their application security programs were "maturing," "mature," or "very mature." Specifically, nearly four out of ten respondents (37.5%) described their programs as maturing, and almost one quarter (22 percent) said their programs were mature. But app security is still a work in process: Just 3.5% of the security administrators and analysts, senior-level managers, and security architects who participated in the survey described their programs as very mature.

Enterprise application security was reported as most advanced by high-tech companies, where 77% of the respondents characterized their programs as very mature, mature, or maturing. The financial services and banking sector—where the need for compliance has brought application security to the attention of C-level executives, came in second, at 76 percent. Telecommunications came in third, at 74%

On the other end of the spectrum, one of the more shocking findings by SANS was how undeveloped application security is in the education sector (although it should be noted that it represented only about 5% of the survey's total respondents). Nearly three quarters of security professionals in that sector (73%) had either immature or nonexistent application security programs. "This lack of concern for application security is alarming when we consider the number of public-facing web applications used by educational institutions for everything from registration to purchasing textbooks," the report said.

Health care was another weak sector, with seven in ten respondents describing their application security programs as "immature."

A focus on app sec training and testing

Respondents said training is the most useful application security process, even more so than vulnerability scanning, and most training is aimed at developers. That may be a sign that organizations are moving application security further down the software development lifecycle, especially considering that 30% of respondents now say their development teams are responsible for security testing, up from just 22% last year.

Organizations are also spreading out application security responsibilities across their security, development, business, architecture, and QA teams, the report stated. "This may explain why only 23% said their applications were the source of actual breaches that resulted in attacks on others or loss of sensitive data," it noted.

Nevertheless, companies still seem to be leaning heavily on runtime testing performed by security teams either at the end of development or after the application has been deployed, the report said.

As a result of testing, more than half the respondents (57 percent) said they found 1 to 25 vulnerabilities per month in their apps, the report found, while about one in ten survey participants (12 percent) found 26 to 50 flaws in their apps per month.

More than half of respondents (54 percent) said only 1 to 10% of the vulnerabilities discovered were critical. About a quarter of the participants (24 percent) said 50 to 75% of critical vulnerabilities discovered were code-based bugs, while 21% said only 10% % to 24% % of their critical vulnerabilities were code-based.

Patching, as in past years, appears to be a sore point for organizations. Fewer than 30% of respondents achieved a 75% to 99% satisfaction level with the speed it takes to repair flaws, and only 11% were 100% satisfied with their remediation performance.

Repair times were comparable to last year's study, with 26% of vulnerabilities patched in two to seven days, with another 26% patched within eight to thirty days.

What worries organizations the most

Public-facing web applications and legacy apps worry organizations most, according to the report. Of the respondents who said their applications were a source of a data breach, nearly a quarter (23%) said the app at the source of the breach was either facing the public web or a legacy app.

"Because they are difficult to patch and upgrade, legacy applications are often considered to be at high risk, even if they are not exposed to the public," the report stated.

Two major challenges facing application security professionals are funding shortfalls and a skills shortage. Almost three in ten participants (29%) said their organizations allocate 1% or less of IT spend on application security, while about a quarter (23%) spend between 2% and 5%. Meanwhile, more than one-third of respondents (38 percent) ranked a lack of skills, tools, and methods as the top challenge.

"Skills shortages will continue to be a problem as new technologies emerge," the report said. "Skills shortages have, historically, been a problem for almost all InfoSec disciplines. Organizations will need to continue to leverage training and education to develop their skill sets."

Take an integrated approach to application security

The consensus from surveyed security organizations is that to create a successful application security program, you must tightly integrate it with the application development lifecycle. "Results show that it takes a village to protect applications," the report said. "Security teams, developers, business units, architects and quality assurance personnel are all part of the ecosystem that protects applications. Together, all parties are maturing their AppSec security programs and are aware that they need to mature more."

Image credit: Flickr


Keep learning

Read more articles about: SecurityApplication Security