Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    IBM, Ponemon Say App Security Still Lags in the Enterprise

    Written by

    Darryl K. Taft
    Published March 11, 2016
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      IBM and the Ponemon Institute this week released a new study showing that cyber security is finally receiving attention from the C-Suite, but application security remains a weak point in many organizations in terms of budgets, priority and strategy.

      The new study, How to Make Application Security a Strategically Managed Discipline, available here, reports that 35 percent of organizations do not perform any major application security testing for application vulnerabilities. Moreover, almost half (48 percent) of respondents said their organization does not take any steps to remediate the risks associated with vulnerable applications.

      “How can organizations protect their applications when they don’t even engage in basic security measures such as dynamic application security testing (DAST), static application security testing (SAST) and interactive application security testing (IAST),” said Neil Jones, market segment manager for application security at IBM, in a blog post about the report.

      More than two-thirds of respondents (67 percent) said their IT function does not have visibility into the overall state of application security and most (65 percent) say their application security practices are fragmented and carried out at a low level. Additionally, only 25 percent said their organizations’ ability to protect applications from a security exploit or compromise is highly effective. Prevention of attacks on applications also is a low priority, according to the survey results. Only 23 percent of respondents said prevention is among their top three application security risk management objectives. Further, only 21 percent said that attack prevention helps to preserve brand image and organizational reputation, even though an organization’s good name is often put at risk when its applications are vulnerable to attacks.

      One factor leading to a lack of app security from the outset is that developers are pressured by a “rush to release,” Diana Kelley, executive security advisor at IBM Security, told week. Fifty-six percent of survey respondents said their organizations are influenced by pressure to release new apps quickly.

      “What was unexpected is that we are still seeing such high numbers,” Kelley said. “Forty-eight percent of organizations not taking steps to remediate the risks and 56 percent saying they are still being affected by the pressure to get applications out in a hurry was a bit unexpected. Timing is all the more important in the post-DevOps, mobile app world. So time is a pressure to be expected, but that is not something that we say we live with all the time without having security built in to that time pressure lifecycle. So that is a bit of a surprise.”

      Nevertheless, the pressure is on to deliver. Think about how much code gets pushed and the sheer number of apps and services that exist in organizations today, Kelley noted the issue been compounded by the fact that there is now a requirement to have mobile apps for everything and to support a variety of different sets of platforms. There‘s just the increase in the sheer volume of applications that are being deployed right now, she said.

      IBM, Ponemon Say App Security Still Lags in the Enterprise

      Compounding the issue of the sheer volume of applications being deployed is that 69 percent of respondents said their organization doesn’t even know all of the applications that are currently active within their company—perhaps the most alarming statistic to emerge from the study.

      Kelley, a 25-plus year IT industry veteran, said she started out as a network and firewall security expert, and also was a system administrator.

      “About 10 years into my career I realized that no matter what I did at the network level, the bad guys were getting through because of what was happening at layer 7 and all the crazy applications I was putting on my network,” she said. Layer 7, the Application Layer of the Open Systems Interconnection (OSI) communication model, provides common services used by applications to establish communication with each other, as well as specific services.

      Today, there are all kinds of apps being introduced to enterprise networks that IT departments have to confront, including applications and services introduced by shadow IT elements, Kelley said.

      “When I was an admin I had a pretty small network and we had static IPs assigned to everybody,” she said. “And even then I would see activity on my firewall log or on my network monitor that would indicate that people were going to applications and services outside the network that I didn’t expect them to, and also that things were running on my network that I didn’t have control over. But it was a much smaller problem. What we’re dealing with now is exponentially larger, especially when you start adding in different kinds of platforms–not just a desktop, but we’ve got mobile devices, Internet of Things and the cloud.”

      The study also indicated that visibility and allocation of resources to deal with the most likely data breaches are considered critical control activities. Thus, one of the first steps that need to be taken is to get an assessment of what apps are on an organization’s network.

      “One thing we wanted to get across is that people should really get an inventory,” Kelley said. “You need to get a handle on what applications you have, what applications you’re building, and if there’s an option to do some optimizations or keep it simple, make sure you need all those applications. Do you have multiple apps running that perform similar roles? You need to get better awareness of what you’ve got and what you’re using. Number one: get a handle on what you have.”

      According to Jones, after getting a full picture of what their application environment looks like, organizations should unify their security practices, staff up and tool themselves to deal with security issues, and then get a handle on the security vulnerabilities that exist in their organization.

      Darryl K. Taft
      Darryl K. Taft
      Darryl K. Taft covers the development tools and developer-related issues beat from his office in Baltimore. He has more than 10 years of experience in the business and is always looking for the next scoop. Taft is a member of the Association for Computing Machinery (ACM) and was named 'one of the most active middleware reporters in the world' by The Middleware Co. He also has his own card in the 'Who's Who in Enterprise Java' deck.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.