A much higher percentage of executive-level employees believe their organizations are following security procedures through the life cycle of application development than do the engineers who are closest to executing the security processes, according to a survey of 642 IT professionals in both executive and engineering positions, which was conducted by the Ponemon Institute and Security Innovation.
Another troubling conclusion of the report was that most organizations are only taking minimal steps to address application security throughout their development process. For example, most organizations do not have a defined software development process in place and most organizations are not testing for application security.
In addition, the survey indicated executives are far more likely to agree that their organizations measure developers for compliance with secure architecture standards while only 23 percent of technicians and staff believe such measures are taken. Three-quarters of executives believe security standards are in place as opposed to just 23 percent of technicians who strongly agree or agree their organizations have defined secure architecture standards.
"The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities," the report said. "The findings of this study reveal the need for making greater investment in application security programs to reduce overall organizational exposure to cyber-crime."
The survey found the majority of organizations do not have a formal application security training program, most development teams are not measured for compliance with regulations and standards and a majority of organizations do not identify, measure or understand application security risks.
Just 43 percent of respondents said their organizations have a defined software development process in place. However, only 31 percent of respondents said their organizations do not adhere to a defined process even if it exists. In addition, specific tools, such as those that automatically scan for security flaws, are not used as widely as they should be—just 42 percent said their organizations subject applications to a manual penetration testing effort by internal teams or by a third party.
"Lack of consistent policies and requirements in place makes it difficult to identify and remediate any security vulnerabilities," the report warned. "To achieve [an acceptable level] of maturity, an organization needs to have normal security requirements defined during the development process, secure coding standards in place and practice review of code versus those standards."
In Ponemon’s 2012 Application Security Gap Study, more than half of respondents (51 percent) said their organizations did not have an application security training program in place. This year’s study had a similar finding. While the organizations may have some type of training in place, a majority of organizations are not updating internal training and education to ensure development teams are capable of adhering to application security policies and best practices.
"Another hurdle to overcome is the application security perception gap that exists in most organizations that has been revealed in this study," the report concluded. "We believe these findings can be useful as a first step to initiating a productive discussion about the positive impact of closing these gaps can have on achieving a stronger allocation security posture."