IBM and the Ponemon Institute this week released a new study showing that cyber security is finally receiving attention from the C-Suite, but application security remains a weak point in many organizations in terms of budgets, priority and strategy.
The new study, How to Make Application Security a Strategically Managed Discipline, available here, reports that 35 percent of organizations do not perform any major application security testing for application vulnerabilities. Moreover, almost half (48 percent) of respondents said their organization does not take any steps to remediate the risks associated with vulnerable applications.
“How can organizations protect their applications when they don’t even engage in basic security measures such as dynamic application security testing (DAST), static application security testing (SAST) and interactive application security testing (IAST),” said Neil Jones, market segment manager for application security at IBM, in a blog post about the report.
More than two-thirds of respondents (67 percent) said their IT function does not have visibility into the overall state of application security and most (65 percent) say their application security practices are fragmented and carried out at a low level. Additionally, only 25 percent said their organizations’ ability to protect applications from a security exploit or compromise is highly effective. Prevention of attacks on applications also is a low priority, according to the survey results. Only 23 percent of respondents said prevention is among their top three application security risk management objectives. Further, only 21 percent said that attack prevention helps to preserve brand image and organizational reputation, even though an organization’s good name is often put at risk when its applications are vulnerable to attacks.
One factor leading to a lack of app security from the outset is that developers are pressured by a “rush to release,” Diana Kelley, executive security advisor at IBM Security, told week. Fifty-six percent of survey respondents said their organizations are influenced by pressure to release new apps quickly.
“What was unexpected is that we are still seeing such high numbers,” Kelley said. “Forty-eight percent of organizations not taking steps to remediate the risks and 56 percent saying they are still being affected by the pressure to get applications out in a hurry was a bit unexpected. Timing is all the more important in the post-DevOps, mobile app world. So time is a pressure to be expected, but that is not something that we say we live with all the time without having security built in to that time pressure lifecycle. So that is a bit of a surprise.”
Nevertheless, the pressure is on to deliver. Think about how much code gets pushed and the sheer number of apps and services that exist in organizations today, Kelley noted the issue been compounded by the fact that there is now a requirement to have mobile apps for everything and to support a variety of different sets of platforms. There‘s just the increase in the sheer volume of applications that are being deployed right now, she said.