IBM, Ponemon Say App Security Still Lags in the Enterprise
A recent study from IBM and the Ponemon Institute indicates that more than a third of organizations neglect to test new apps for vulnerabilities.IBM and the Ponemon Institute this week released a new study showing that cyber security is finally receiving attention from the C-Suite, but application security remains a weak point in many organizations in terms of budgets, priority and strategy. The new study, How to Make Application Security a Strategically Managed Discipline, available here, reports that 35 percent of organizations do not perform any major application security testing for application vulnerabilities. Moreover, almost half (48 percent) of respondents said their organization does not take any steps to remediate the risks associated with vulnerable applications. “How can organizations protect their applications when they don’t even engage in basic security measures such as dynamic application security testing (DAST), static application security testing (SAST) and interactive application security testing (IAST),” said Neil Jones, market segment manager for application security at IBM, in a blog post about the report. More than two-thirds of respondents (67 percent) said their IT function does not have visibility into the overall state of application security and most (65 percent) say their application security practices are fragmented and carried out at a low level. Additionally, only 25 percent said their organizations’ ability to protect applications from a security exploit or compromise is highly effective. Prevention of attacks on applications also is a low priority, according to the survey results. Only 23 percent of respondents said prevention is among their top three application security risk management objectives. Further, only 21 percent said that attack prevention helps to preserve brand image and organizational reputation, even though an organization’s good name is often put at risk when its applications are vulnerable to attacks.
One factor leading to a lack of app security from the outset is that developers are pressured by a “rush to release,” Diana Kelley, executive security advisor at IBM Security, told week. Fifty-six percent of survey respondents said their organizations are influenced by pressure to release new apps quickly.