For over 10 years, Security Innovation has been researching application security and created the Application Security Maturity (ASM) model to help organizations understand their readiness to build
secure software applications.
The present study utilities Security Innovation’s Secure Software Development Lifecycle (SDLC) Maturity Questionnaire, which comprises 20 objectively framed questions concerning tools usage, development team knowledge and security best practices. It is used to better understand the maturity of an organization’s application security program in comparison to the core competencies of highperforming organizations.
Ponemon Institute independently surveyed 642 IT professionals in both executive and engineering positions. The majority of the respondents were at a supervisory level or higher. Over half of the
respondents are employed by organizations of more than 5,000 employees. Based on the responses, the primary finding is that a much higher percentage of executive-level
respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.
This is a serious and potentially dangerous misalignment. Another troubling conclusion is that most organizations are only taking minimal steps to address application security throughout their
The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities. Mature organizations tend to have highly effective application security programs that include the three pillars of a secure SDLC:
The mature organizations share common characteristics by:
The primary goal of this research is to stimulate increased awareness in the importance of application security and to encourage a dialog between executives and practitioners to ensure that there is a common understanding of organizational realities concerning their ability to build more secure software.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.