Enterprise security specialist F5 and the Ponemon Institute teamed up for a comprehensive study on application-centric security and released the results exclusively to eWEEK on Aug. 22.
The report, based on a survey of security professionals about their approach to protecting the applications that are critical to running their businesses, highlights why traditional security methods are no longer effective.
There is currently a lot of buzz about network and data-centric security but not nearly as much about the app-centric brand. In an age when hackers remain far, far ahead of security specialists, enterprises should be considering the utility of all types of security.
F5 Networks provides application delivery networking technology that optimizes the delivery of network-based applications.
Key data points from the report include the following.
--Enterprises are investing in network perimeter (90 percent of budget), but the majority of attacks are aimed at user identity and applications (72 percent of attacks).
--Sixty-three percent of respondents said attacks at the application layer are harder to detect than at the network layer, and 67 percent said these attacks are more difficult to contain than at the network layer.
--Seventy-one percent of security professionals who have integrated DevOps practices into their application development lifecycles say that they have improved security and enabled them to respond quickly to vulnerabilities.
Lack of Network Visibility an Important Factor
Another key takeaway from the report is that a lack of visibility into the application layer is now the main barrier to achieving a strong application security posture, F5 Chief Information Security Officer Mike Convertino said in a blog post.
"As a CISO, I need to know everything about the data that flows through those apps: who's using it, where are they accessing it from, and what they're doing with it. And with more and more applications hosted in the public cloud, managing risk becomes even more challenging," Convertino said.
Here are some more detailed highlights from the research.
--A lack of visibility in the application layer is the main barrier to achieving a strong application security posture. Other significant barriers are created by migration to the cloud (47 percent of respondents), lack of skilled or expert personnel (45 percent of respondents) and proliferation of mobile devices (43 percent of respondents). The frequency and severity of attacks on the application layer is considered greater than at the network layer.
Fifty percent of respondents (29 percent + 21 percent) say the application is attacked more, and 58 percent of respondents (33 percent + 21 percent) say attacks are more severe than at the network layer. In the past 12 months, the most common security incidents due to insecure applications were SQL injections (29 percent), distributed denial-of-service, or DDoS (25 percent), and Web fraud (21 percent).
--Network security is better funded than application security. On average, 18 percent of the IT security budget is dedicated to application security. More than double that percentage (an average of 39 percent) is allocated to network security. As a consequence, only 35 percent of respondents say their organizations have ample resources to detect vulnerabilities in applications, and 30 percent of respondents say they have enough resources to remediate vulnerabilities in applications.
Accountability of All Applications Always an Issue
--Accountability for the security of applications is in a state of flux. Fifty-six percent of respondents believe accountability for application security is shifting from IT to the end user or application owner. However, at this time, the responsibility for ensuring the security of applications is dispersed throughout the organization. While 21 percent of respondents say the CIO or CTO is accountable, another 20 percent of respondents say no one person or department is responsible.
Twenty percent of respondents say business units are accountable, and 19 percent of respondents say the head of application development is accountable.
--Shadow IT affects the security of applications. Respondents estimate that on average their organizations have 1,175 applications, and an average of 33 percent are considered mission-critical. Sixty-six percent of respondents are only somewhat confident (23 percent) or have no confidence (43 percent) they know all the applications in their organizations.
Accordingly, 68 percent of respondents (34 percent and 34 percent) say their IT function does not have visibility into all the applications deployed in their organizations and 65 percent of respondents (32 percent and 33 percent) agree that shadow IT is a problem.
--Mobile and business applications in the cloud are proliferating. An average of 31 percent of business applications are mobile apps, and this will increase to 38 percent in the next 12 months. Today, 37 percent of business applications are in the cloud and this will increase to an average of 46 percent.
--The growth in mobile and cloud-based applications is seen as significantly affecting application security risk. Sixty percent of respondents say mobile apps increase risk (25 percent) or increase risk significantly (35 percent). Fifty-one percent of respondents say cloud-based applications increase risk (25 percent) or increase risk significantly (26 percent). Hiring and retaining skilled and qualified application developers will improve an organization's security posture.
Shortage of Skilled Techs Another Problem
Sixty-nine percent of respondents believe the shortage of skilled and qualified application developers puts their applications at risk. Moreover, 67 percent of respondents say the "rush to release" causes application developers in their organizations to neglect secure coding procedures and processes.
--Ensuring that developers understand secure coding practices can reduce application security risk. The two main reasons applications contain vulnerable code are developers not understanding secure coding practices or their poor coding.
--More testing of applications is needed. Almost half of respondents say their organization does not test applications for threats and vulnerabilities (25 percent) or testing is not pre-scheduled (23 percent). Only 14 percent of respondents say applications are tested every time the code changes.
Currently, respondents have little confidence that application developers in their organization practice secure design, development and testing of applications. Seventy-four percent of respondents say in application development they are only somewhat confident (27 percent) or have no confidence (47 percent) that such practices as input/output validation, defensive programming and appropriate compiler/linker security options are conducted.
--DevOps or continuous integration is believed to improve application security. Thirty-five percent of respondents say their organizations have adopted DevOps or continuous integration practices into the application development lifecycle. Of these respondents, 71 percent say it improves application security and enables them to respond quickly to security issues and vulnerabilities (56 percent of respondents).
Firewalls Still a Major Part of Current Systems
Web application firewalls (WAF) are the primary means of securing applications. Thirty percent of respondents say their organizations use WAFs to secure applications. Twenty-one percent of respondents say they use application scanning, and 19 percent of respondents say they use penetration testing to secure applications.
--Thirty-nine percent of respondents say their organizations use micro-segmentation to enhance the security posture of their applications, and 37 percent use Linux or Windows containers. Thirty-one percent of respondents say their organizations use managed, cloud-based application services.
--Cyber security threats will weaken application security programs, but new IT security and privacy compliance requirements will strengthen these programs. Eighty-eight percent of respondents are concerned that new and emerging cyber-security threats will affect the security of applications. In contrast, 54 percent of respondents say new and emerging IT security and privacy compliance requirements will help their security programs. According to respondents, there are more trends expected to weaken application security than will strengthen security.
The responsibility for securing applications will move closer to the application developer. Sixty percent of respondents anticipate the applications developer will assume more responsibility for the security of applications. Testing for vulnerabilities should take place in the design and development phase of the system development life cycle (SDLC). Today, most applications are tested in the launch or post-launch phase (61 percent). In the future, the goal is to perform more testing in the design and development phase (63 percent).
--Do secure coding practices affect the application delivery cycle? Fifty percent of respondents say secure coding practices, such as penetration testing, slow down the application delivery cycle within their organizations significantly (12 percent of respondents) or cause some slowdown (38 percent of respondents). However, 44 percent of respondents say there is no slowdown.
--How secure coding practices will change. The secure coding practices most often performed today are running applications in a safe environment (67 percent of respondents), use automated scanning tools to test applications for vulnerabilities (49 percent) and perform penetration testing procedures (47 percent).
What's Going to Happen in the Near Future
--In the next 24 months, the following practices will most likely be performed: running applications in a safe environment (80 percent of respondents), monitoring the runtime behavior of applications to determine if tampering has occurred (65 percent of respondents) and performing penetration testing procedures (63 percent of respondents).
If you'd like to learn more, F5 is conducting a webinar with Larry Ponemon, chairman and founder of the Ponemon Institute, and David Holmes, security evangelist at F5, on Aug. 30 from 10 a.m. to 11 a.m. PT. Register here.