May 02, 2018
Whilst a growing number of organisations are aware of the need for application security, few are tackling the issue in an effective way. In a survey of over 640 IT professionals, 7 crucial problems were repeatedly identified as recurrent barriers to effective application security. Resolving these problems will help your organisation improve developer security knowledge, and reduce the costs of software vulnerabilities - helping you to improve the maturity of your application security processes, and share in the competencies of high-performing software organisations.
1) No Defined Software Development Process
Secure application development starts with a defined software development process; with formal processes in place to address software requirements, design, implementation and testing. Many organisations approach these issues in an ad-hoc way, without any emphasis on following procedural guidelines. Without the ability to develop software in a repeatable, measured and uniform way, it's almost impossible to integrate security into the development process. Only 43% of surveyed organisations had a defined software development process. Of that 43%, only 69% adhered to the process - resulting in only 30% of all organisations working to a defined development process.
2) Not Testing for Application Security
Despite the common sense nature of this problem, simple inaction is one of the biggest security threats faced by organisations. Only 43% of surveyed organisations have a defined process in place to mitigate the risk of bugs and defects in developed applications. Even then, most organisations are in the panic scramble phase of application security maturity - acting in a purely reactive way to security threats.
3) Security Policies are Not Integrated into the SDLC
In order to improve the efficacy of secure application development processes, it's essential to integrate security policies directly into the software development lifecycle (SDLC). The costs of remediating bugs and vulnerabilities grow hugely as an application progresses through the SDLC. When issues are identified during production and post-release, fixing a vulnerability can cost thirty times more to resolve than a problem detected during the requirement and architecture phase.
4) No Formal Application Security Training Program
Defined security policies and requirements are an important part of securing the development process. However, without developer training to help the dev team understand and implement these best practices, security policies will have a negligible impact on vulnerabilities and remediation costs. More than half of organisations (51%) have no application security training program in place. Even fewer organisations are rolling out the security training program in an effective way - combining standards, education and assessment to aid developers in adhering to security policy.
5) Dev Teams Not Measured for Compliance
With a training program in place, it's vital for your organisation to monitor adherence to security policies - both in terms of improving the efficacy of training programs, and measuring their return on investment. There are three primary areas development teams need to be assessed across: compliance with regulatory requirements, compliance with secure architecture standards and compliance with secure coding standards.
6) Most Organisations Don't Understand Application Security Risks
Application development poses an ever-changing threat, with the security risks faced by your organisation changing in a highly fluid and dynamic way. In order to create and maintain effective security standards, your organisation needs to conduct regular audits to assess potential threats. Most mature organisations use a threat modelling process to achieve this; identifying new threats, and prioritising the need for action.
7) Executives and Practitioners Have Different Understandings of Application Security Maturity
In most organisations, there's a serious disconnect between high-level executives and security practitioners, with the C-suite often holding an unrealistic (and unduly optimistic) view of application security in the organisation. This misalignment of priorities is a driving force behind some of the biggest problems faced by organisations - including costly shelfware, ineffective security training, and the poor reputation of security. To remedy this problem, it's important to prioritise security from the top-down, and allow for effective communication between all areas of the organisation - from dev teams, to security, to the C-suite.