iStock_000026964232XSmall

[Research] The State of Application Security

Sep 12, 2013 By carolineb

The State of Application Security

A Research Study by Security Innovation, Checkmarx’s partners and Ponemon Institute LLC

View Full Research

For over 10 years, Security Innovation has been researching application security and created the Application Security Maturity (ASM) model to help organizations understand their readiness to build
secure software applications.

The present study utilities Security Innovation’s Secure Software Development Lifecycle (SDLC) Maturity Questionnaire, which comprises 20 objectively framed questions concerning tools usage, development team knowledge and security best practices. It is used to better understand the maturity of an organization’s application security program in comparison to the core competencies of highperforming organizations.
Ponemon Institute independently surveyed 642 IT professionals in both executive and engineering positions. The majority of the respondents were at a supervisory level or higher. Over half of the
respondents are employed by organizations of more than 5,000 employees. Based on the responses, the primary finding is that a much higher percentage of executive-level
respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.
This is a serious and potentially dangerous misalignment. Another troubling conclusion is that most organizations are only taking minimal steps to address application security throughout their
development process.

The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities. Mature organizations tend to have highly effective application security programs that include the three pillars of a secure SDLC:

  1. Application Security Standards
  2. Regular Security Assessments for measurement
  3. Training for each role in the SDLC

The mature organizations share common characteristics by:

  • Writing and adopting security architecture and development standards.
  • Training their development teams on application security topics based on role, platform, and technology used.
  • Conducting regular assessments on their applications and processes to make sure the implementation of standards is effective.
  • Ensuring that their executives, technicians and staff understand the importance of application security as part of the organizations’ overall risk management strategy and collaborate on ensuring the practices described above are in place.

The primary goal of this research is to stimulate increased awareness in the importance of application security and to encourage a dialog between executives and practitioners to ensure that there is a common understanding of organizational realities concerning their ability to build more secure software.

Read research

The following two tabs change content below.

carolineb

Latest posts by carolineb (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

  • “a much higher percentage of executive-level
    respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.”

    That’s a big miscommunication. And I would be more inclined to believe the developers who are actually making things happen over the managers who just see the end result. My question is why is there such a disparity? Where does the breakdown happen between management and developer?

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.