Checkmarx Named a Leader in The Forrester Wave: SAST

Key Takeaways from Ponemon’s 2017 Study on Mobile and Internet of Things Application Security

Today, organizations are developing and releasing mobile and Internet of Things (IoT) devices and apps at a rapid speed. According to recent research, it is estimated that around 50B IoT devices will be connected to the Internet by 2020 while 2017 started with a record 2.2M downloadable apps in the App Store.


Every year, Ponemon Institute releases a study on Mobile and Internet of Things Application Security focusing on understanding how organizations are lowering the risks in mobile and IoT apps in the workplace. Based on this study, while the worry and understanding of mobile and IoT application security threats is increasing. There is a severe lack of urgency in addressing issues and proper application security testing is occurring during later stages in an app’s SDLC.

Continue reading for a full list of key takeaways from Ponemon’s 2017 Study on Mobile and Internet of Things Application Security.


  • Worry over mobile and IoT application security in the workplace expands across the board
    Organizations are having an increasingly difficult time securing used IoT apps in the workplace, and are more concerned over potential attacks. The fear of potential hacks through IoT applications (58%) is higher than potential hacks through mobile applications (53%) but both percentages are high. Yet, despite the concern, a significantly low number of organizations are prepared to face these threats. To be precise, 11% of participants were dubious whether their organizations were taking measures to prevent such attacks, and 44% of participants within organizations said they had taken no steps to protect from and prevent such attacks.


  • Malware is considered to be a larger threat to mobile apps than to IoT apps
    84% of participants are worried about the threat of malware to mobile apps, while 66% of participants are worried about the same threat to IoT apps.


  • Organizations’ stance of security is threatened by mobile and IoT applications
    79% of respondents said that the use of mobile apps increases the security risk drastically, while, slightly less (75%) marked that IoT apps had the same effect on the organization’s security posture.


  • Fear of potential attacks and new regulations lead to the growth of application security budgets
    A low percentage of respondents (30%) said that their organization assigns an ample budget dedicated to application security (both mobile and IoT). However, 54% of respondents from organizations who faced a serious cyber security incident would very likely consider increasing their application security budgets while 46% would likely increase security budgets due to new security regulations. Only 25% reported that the reportings of hacks and data breaches will result in an increased security budget.  
  • The primary reason mobile and IoT apps contain vulnerable code is due to quick releases
    Based on responses, 69% of participants blame the pressure placed on development teams as the main reason why mobile applications are released with vulnerable code, in comparison to the 75% pointing to the same issue as the cause of vulnerable code in IoT devices. According to 65% of responses, unforeseen or accidental coding flaws result in vulnerable code, and a general lacking of internal policies which clarify the security requirements may negatively impact application security.
  • Despite the known risks, organizations lack the urgency when addressing threats
    While the lack of urgency may be due to an organization’s failure in taking the necessary steps to protect data or due to low application security budgets, a significantly low percentage of respondents (32%) state that their organization urgently works to secure mobile apps, while 42% similarly work to secure IoT apps.
  • Application security testing usually happens during production
    The answers of 58% of participants show that organizations tends to wait until their IoT applications are in production before proceeding with application security testing. 39%  marked that mobile applications were tested during the production stage. Furthermore, on average, only 29% of total IoT and mobile apps alike are tested for vulnerabilities at all; following, an average of 30% of mobile apps and 38% of IoT apps were found to contain significantly threatening vulnerabilities.



To download a full copy of the report, visit


jumping 1



Click here to read our key takeaways from Verizon’s 2016 Data Breach Investigation Report

Jump to Category