2012 Study on Application Security: - isaca

2012 Study on Application Security:2012 Study on Application Security:A S f IT S it d D lA S f IT S it d D lA Survey of IT Security and DevelopersA Survey of IT Security and Developers

Ed Adams, CEOSecurity Innovation

Dr. Larry PonemonPonemon Institute

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.

Today’s webinar:Today’s webinar:

• Text in questions using the Ask A Question button

• All audio is streamed over your computer– Having technical issues? Click the ? ButtonHaving technical issues? Click the ? Button

• Download the slide deck from the Event Home Page

• No CPEs being offered for this event

• Question or suggestion? Email them to [email protected]

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2

PonemonPonemon InstituteInstitute LLCLLC

• The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and p p y p y pgovernment.

• The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizationspublic sectors and verifies the privacy and data protection practices of organizations.

• Ponemon Institute is a full member of CASRO (Council of American Survey Research organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.

• The Institute has assembled more than 60+ leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principlesthe RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.

• The majority of active participants are privacy or information security leaders.


About this researchAbout this research• This research was conducted to understand the perceptions both security

and development practitioners have about application security maturity

• Key topics include:

– Adopted processes considered most effective– Adoption and use of technologies that are affecting the state of

application security– Gaps between people, process and technology and the affect they have

on the enterprise– Different perceptions security and development practitioners have about

application maturity readiness and accountabilityapplication maturity, readiness and accountability– Threats to the application layer, including emerging platforms– Application-layer links to data breaches


Respondent StatisticsRespondent Statistics

Sample response Security DeveloperU.S. Sample frame 14,997 6,962 Returned surveys 665 301Returned surveys 665 301 Rejected surveys 98 45 Final sample 567 256 Response rate 3.8% 3.7%


Ponemon Institute: Private and Confidential

Attributions about the maturity of IT Attributions about the maturity of IT security activitiessecurity activitiessecurity activitiessecurity activities

58%

44%

38%

Security technologies are adequate in protecting our information

Application security is a top priority in my organization

50%

53%

54%

39%

37%

44%

IT security strategy is fully aligned with the business strategy

Security & data protection policies are well‐defined and fully understood by employees

Security technologies are adequate in protecting our information assets and IT infrastructure

46%

48%

50%

33%

41%

The IT security function is able to prevent serious cyber attacks such as advanced persistent threats

Appropriate steps are taken to comply with the leading IT security standards

y gy y g gy

41%

42%

35%

35%

31%

IT security can hire and retain knowledgeable and experienced

The IT security leader is a member of the executive team

IT security responds quickly to new challenges and issues

36%

40%

34%

35%

0% 10% 20% 30% 40% 50% 60% 70%

There are ample resources to ensure all IT security requirements are accomplished

IT security can hire and retain knowledgeable and experienced security practitioners


Developers Security


Key ThemesKey Themes

Application security is often not a priority.

There is uncertainty about how to fix vulnerable code in critical applications.

A lack of knowledge about application security is resulting in a high rate of data breaches.

A lack of accountability and discrepancy in priorities exists in many enterprises.

Mobile technology and social media platforms are putting organizations at risk.


A li ti it iApplication security is often not a priorityp y


Then what are organizations prioritizing?Then what are organizations prioritizing?And what does this mean?And what does this mean?

79% of developers have an ad-hoc, 64% of security personnel have an ad-por no process for building security

into applications.

y phoc, or no process for building security

into applications.

71% of developers feel security is not addressed in

the SDLC.

71% of developers feel security is not addressed in

the SDLC.

51% of security personnel feel security is not

addressed in the SDLC.

51% of security personnel feel security is not

addressed in the SDLC.the SDLC.the SDLC. addressed in the SDLC.addressed in the SDLC.

30% of developers build security into the post-launch

phase.

30% of developers build security into the post-launch

phase.

13% of security personnel feel code-induced threats represent a greater threat

than the human factor.

13% of security personnel feel code-induced threats represent a greater threat

than the human factor.


Please choose one statement that best describes Please choose one statement that best describes security threats in your organization todaysecurity threats in your organization todayy y g yy y g y

41%

44%

41%Human and code-induced threats are equal in

terms of inherent security risk

43%

21%Human factor threats present a greater inherent

security risk than code-induced threats

13%

38%Code-induced threats present a greater inherent

security risk than human factor threats

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Developer Security



Does your organization have a process for ensuring that Does your organization have a process for ensuring that security is built into new applications?security is built into new applications?

46%50%

36%

43%

33%

46%

35%

40%

45%

21%21%

15%

20%

25%

30%

0%

5%

10%

15%

Yes, we have a standardized process

Yes, we have a non-standardized or “ad hoc” process

No, we don’t have a process

Security Developer



In your opinion, is security adequately emphasized In your opinion, is security adequately emphasized during the application development lifecycle?during the application development lifecycle?g pp p yg pp p y

71%80%

51% 49%

71%

50%

60%

70%

%

29%30%

40%

50%

10%

20%

0%Yes No

Security Developer



Where in the application development lifecycle Where in the application development lifecycle does your organization build in security features?does your organization build in security features?M th h i itt dM th h i itt dMore than one choice permittedMore than one choice permitted

35%31%

29% 30%

25%

30%

17%

13%

19% 18%

21%

12%15%

20%

10%12%

5%

10%

0%Design phase Development phase Launch phase Post-launch phase Unsure

Security Developer



Th i t i t b t h tThere is uncertainty about how to fix vulnerable code in critical

li tiapplications


Organizations can’t identify a starting point…Organizations can’t identify a starting point…And are they looking at the other organization to get it done.And are they looking at the other organization to get it done.

47% of developers state that there is no formal mandate in place to 29% of security personnel state that no formal mandate in place to

remediate vulnerable application code.

y pthere is no formal mandate in place to remediate vulnerable application code.

51% of developers have no training in application

security.

51% of developers have no training in application

security.

51% of security personnel have no training in application security.

51% of security personnel have no training in application security.security.security. application security.application security.

54% of developers feel54% of developers feel 46% of security personnel46% of security personnel54% of developers feel fixing bugs/patching

applications is a drain on their company’s time and

budget

54% of developers feel fixing bugs/patching

applications is a drain on their company’s time and

budget

46% of security personnel say the major attack

methodology in breaches over the past 24 months is

SQL injection

46% of security personnel say the major attack

methodology in breaches over the past 24 months is

SQL injection


budget.budget. SQL injection..SQL injection..

How does your organization mandate the How does your organization mandate the remediation of vulnerable code? remediation of vulnerable code? O b t h iO b t h iOne best choiceOne best choice

29%47%No formal mandate to remediate vulnerable code

exists

28%

29%

9%It’s driven through the security organization, where the development organization remediates according

to best practices

exists

11%

21%

13%

19%

Compliance mandates drive the process and the risk group is responsible for pushing the directive

Development or engineering drives the process without any mandate from security

6%

11%

5%External auditors provide the mandate, which then gets pushed down through the corporate risk group

down to security and development teams

5%7%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Other (please specify)

S



Developer Security

Has your organization deployed a training Has your organization deployed a training program on application security?program on application security?p g pp yp g pp y

36%37% 37%40%

25%

30%

35%

22% 23%

15% 14%15%

20%

25%

4%

11%

5%

10%

15%

1%0%

Yes, fully deployed Yes, partially deployed

No, but we plan to deploy in the next 12

to 24 months

No Unsure



Security Developer

What does your development team use to ensure they are What does your development team use to ensure they are successful in remediating potentially vulnerable code or fixing bugs?successful in remediating potentially vulnerable code or fixing bugs?More than one choice permittedMore than one choice permittedpp

46%51%Homegrown solution

24%

45%

46%

16%

23%

49%

A b t ki /d b i t l

Static analysis solution

Training or education as needed

Homegrown solution

14%

18%

18%

4%

15%

15%

16%

Dynamic analysis solution

An IDE system (Integrated Development …

A bug tracking/de-bugging tool

5%

5%

5%

13%

12%

4%

Google as a reference

Wikipedia as a reference


0% 10% 20% 30% 40% 50% 60%

Developer Security



What type of attack methods may have compromised your What type of attack methods may have compromised your organization’s data in a recent breach or security exploit?organization’s data in a recent breach or security exploit?More than one choice permittedMore than one choice permittedMore than one choice permittedMore than one choice permitted

42%SQL injection attack at the application layer

23%

24%

46%

25%

29%

Cross-site scripting attack at the application layer

Exploit of insecure code through use of a Web 2.0 application

SQL injection attack at the application layer

13%

17%

23%

19%

18%

Exploit of insecure software code on a mobile device

Privilege escalation attack at the application layer

19%

8%

17%

5%

Unsure

Other attack methodology at the application layer

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Developer Security



A l k f k l d b tA lack of knowledge about application security is resulting i hi h t f d t b hin a high rate of data breaches


Breaches continue to happen at the application level. Breaches continue to happen at the application level. Yet budget prioritization leans toward the network…Yet budget prioritization leans toward the network…

Two-thirds of developers have experienced between 1 10 breaches

Half of security personnel state experienced between 1 10 breachesexperienced between 1-10 breaches

in the past 24 months due to insecure applications.

experienced between 1-10 breaches in the past 24 months due to insecure

applications..

15% of developers feel all of their organization’s

applications meet security l ti

15% of developers feel all of their organization’s

applications meet security l ti

12% of security personnel feel all of their

organization’s applications t it l ti

12% of security personnel feel all of their

organization’s applications t it l tiregulations.regulations. meet security regulations.meet security regulations.

16% of developers don’t16% of developers don’t 19% of security personnel19% of security personnel16% of developers don t know if a breach has even

occurred within their organization at the application layer

16% of developers don t know if a breach has even

occurred within their organization at the application layer

19% of security personnel don’t know if a breach has even occurred within their

organization at the application layer

19% of security personnel don’t know if a breach has even occurred within their

organization at the application layer


application layer.application layer. application layer.application layer.

How often over the past 24 months has your organization How often over the past 24 months has your organization experienced a data breach or security exploit as a result of experienced a data breach or security exploit as a result of an application being compromised or hacked?an application being compromised or hacked?an application being compromised or hacked?an application being compromised or hacked?

45%

34%32%

40%

30%

35%

40%

19%16%

19%16%

20%

25%

30%

11%

4%

9%

5%

10%

15%

0%Zero (0) 1 to 5 6 to 10 More than 10 Unsure

Security Developer



To the best of your knowledge, are your organization’s To the best of your knowledge, are your organization’s applications compliant with all regulations for privacy, data applications compliant with all regulations for privacy, data protection and information security?protection and information security?protection and information security?protection and information security?

45%50%

34%37%

32%

45%

35%

40%

45%

20%

25%

30%

12%15%

2%

11% 11%

5%

10%

15%

2% 1%0%

Yes, for all applications

Yes, for most applications

Yes, but only for some applications

No Unsure

Security Developer



y p

What percentage of your IT security budget is dedicated to What percentage of your IT security budget is dedicated to application security measures or activities? application security measures or activities?

45%

38% 39%

30%

35%

40%

25%

16%

24%

20%

25%

30%

16%

11%8%

15%12%

7%

3%5%

10%

15%

2% 3%

0%

5%

Less than 10% 11 to 20% 21 to 30% 31 to 40% 41 to 50% More than 50%

Security Developer



Please choose one statement that best describes Please choose one statement that best describes security priorities in your organization today.security priorities in your organization today.y p y g yy p y g y

50%

34%

44%

38% 39%

35%

40%

45%

22% 23%

20%

25%

30%

0%

5%

10%

15%

0%Network security is a lower priority

than application securityNetwork security is a higher

priority than application securityNetwork security and application

security are equal in terms of security priorities

Security Developer



A l k f t bilit dA lack of accountability and a discrepancy in priorities exists

i t iin many enterprises


Software security lives in a silo organizationally. Software security lives in a silo organizationally. And no one wants to own it…And no one wants to own it…

44% of developers say there is no collaboration between the

36% security personnel state there’s at least some collaboration betweencollaboration between the

development organization and the security organization.

at least some collaboration between the development organization and the

security organization..

42% of developers say that no one person owns security in the SDLC.

42% of developers say that no one person owns security in the SDLC.

28% of security professionals feel the CISO

should bear the ultimate responsibility for application

28% of security professionals feel the CISO

should bear the ultimate responsibility for applicationsecurity in the SDLC.security in the SDLC. responsibility for application

security.responsibility for application

security.

37% of developers build security into the design or development phase of the

SDLC.

37% of developers build security into the design or development phase of the

SDLC.

60% of security personnel say that security is built into the design or development

phase of the SDLC.

60% of security personnel say that security is built into the design or development

phase of the SDLC.


What best describes the nature of collaboration between your What best describes the nature of collaboration between your organization’s application development and security teams?organization’s application development and security teams?

50%

36%33%

44%

35%

40%

45%

%

33%

19%

28%

19%20%

25%

30%

35%

12%9%

5%

10%

15%

20%

0%

5%

Significant collaboration Some collaboration Limited collaboration No collaboration

Security Developer



Who in your organization is most responsible for ensuring Who in your organization is most responsible for ensuring security in the application development lifecycle? security in the application development lifecycle?

42%45%

28%26%

30%

35%

40%

20% 20%

26%

22%

11%14%15%

20%

25%

6%

1%

8%11%

2%

0%

5%

10%

0%CIO CISO Head of

application development

Head of quality assurance

No one person has overall

responsibility


Security Developer



M bil t h l d i lMobile technology and social media platforms put

i ti t i korganizations at risk


We haven’t wanted to admit it, but mobile and social media We haven’t wanted to admit it, but mobile and social media apps are here to stay…and we better plan ahead!!apps are here to stay…and we better plan ahead!!

47% of developers say the most serious emerging threat relative to

46% security personnel say the most serious emerging threat relative toserious emerging threat relative to

application security is Web 2.0 or social media applications.

serious emerging threat relative to application security is Web 2.0 or

social media applications..

29% of developers say Web 2.0 social media apps were the 2nd highest root cause of data breaches next to SQL

29% of developers say Web 2.0 social media apps were the 2nd highest root cause of data breaches next to SQL

24% of security pros say Web 2.0 social media apps were the 2nd highest root

cause of data breaches next

24% of security pros say Web 2.0 social media apps were the 2nd highest root

cause of data breaches nextdata breaches next to SQL injection.

data breaches next to SQL injection.

cause of data breaches next to SQL injection.

cause of data breaches next to SQL injection.

60% of security personnel60% of security personnel65% of developers do not test mobile applications in

production, development or Q/A processes.

65% of developers do not test mobile applications in

production, development or Q/A processes.

60% of security personnel do not test mobile

applications in production, development or Q/A

processes

60% of security personnel do not test mobile

applications in production, development or Q/A

processes


processes.processes.

What do you see as the two most serious emerging threat What do you see as the two most serious emerging threat relative to application security over the next 12 to 24 months?relative to application security over the next 12 to 24 months?

39%Insecure mobile applications

30%

30%

14%

33%Attacker infiltration through Web 2.0 applications

Insecure mobile applications

12%

16%

6%

14%

Hybrid mobile platform/Web 2.0 software vulnerabilities

Social media applications

3%

10%

1%

7%


Continuance of web applications

3%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Developer Security



Following are three scenarios about attacks that Following are three scenarios about attacks that may significantly impact your organization. may significantly impact your organization. y g y p y gy g y p y g

51%

40%

51%Attacks through insecure mobile applications will significantly disrupt business operations within my

organization

33%

42%Attacks through insecure applications will significantly

disrupt business operations within my organization

26%Attacks through an insecure network will significantly

disrupt business operations within my organization31%

0% 10% 20% 30% 40% 50% 60%

p p y g

Developer Security



Developer Security

What type of attack methods may have compromised your What type of attack methods may have compromised your organization’s data in a recent breach or security exploit?organization’s data in a recent breach or security exploit?More than one choice permittedMore than one choice permittedMore than one choice permittedMore than one choice permitted

42%SQL injection attack at the application layer

24%

46%

25%

29%Exploit of insecure code through use of a Web 2.0 application

SQL injection attack at the application layer

17%

23%

18%

25%

Privilege escalation attack at the application layer

Cross-site scripting attack at the application layer

8%

13%

5%

19%

Other attack methodology at the application layer

Exploit of insecure software code on a mobile device

19%17%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Unsure

De eloper Sec rit



Developer Security

Does your organization test mobile apps in the Does your organization test mobile apps in the following venues?following venues?M th h i itt dM th h i itt dMore than one choice permittedMore than one choice permitted

60%65%70%

60%

50%

60%

33%

25%30%

40%

12%16%14% 14%

0%

10%

20%

0%Production Development Testing and quality

assuranceNone of the above

Security Developer



Questions


Contact InformationContact Information

Ponemon InstitutePonemon Institutewww.ponemon.orgT l 231 938 9900Tel: 231.938.9900

Toll Free: 800.887.3118Michigan HQ: 2308 US 31 N. Traverse City,

MI 49686 [email protected]


Thank You!Thank You!

Ed Adams, CEOSecurity [email protected]@ y

Pre-register for the report at: htt // it i ti / ithttp://www.securityinnovation.com/security-lab/research.html

Or contact sales at: [email protected]


2012 Study on Application Security: - isaca

Documents

Transcript of 2012 Study on Application Security: - isaca