Application Security Viewed Differently by IT Pros, Executives
A Ponemon survey found the majority of organizations do not have a formal application security training program.A much higher percentage of executive-level employees believe their organizations are following security procedures through the life cycle of application development than do the engineers who are closest to executing the security processes, according to a survey of 642 IT professionals in both executive and engineering positions, which was conducted by the Ponemon Institute and Security Innovation. Another troubling conclusion of the report was that most organizations are only taking minimal steps to address application security throughout their development process. For example, most organizations do not have a defined software development process in place and most organizations are not testing for application security. In addition, the survey indicated executives are far more likely to agree that their organizations measure developers for compliance with secure architecture standards while only 23 percent of technicians and staff believe such measures are taken. Three-quarters of executives believe security standards are in place as opposed to just 23 percent of technicians who strongly agree or agree their organizations have defined secure architecture standards. "The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities," the report said. "The findings of this study reveal the need for making greater investment in application security programs to reduce overall organizational exposure to cyber-crime."
The survey found the majority of organizations do not have a formal application security training program, most development teams are not measured for compliance with regulations and standards and a majority of organizations do not identify, measure or understand application security risks.