Security

A bridge too far: Assessing the current state of application security

A recent report finds that applying security procedures to application development is severely lacking in many organizations.

security-access-620-465.jpg
There are some things in life that come as no surprise-New York Yankee Alex Rodriguez being a cheater, Katy Perry breakups, and application security remaining in a dismal state. Recently, Ed Adams, CEO of Security Innovation, and renowned researcher, Larry Ponemon, teamed up to produce "The State of Application Security" report, which identifies the largest areas of concern within the application security realm. This report is fairly representative of application security throughout all industries (not just tech companies) so it very useful for those in varying verticals.

This year's primary finding is that a much higher percentage of executive respondents believe their organizations are adhering to security procedures throughout the application development lifecycle than do the security staff and engineers who are closest to executing the actual security processes. This is a serious and dangerous misalignment for any organization. Another troubling (albeit not shocking) conclusion is that the majority of organizations are doing the bare minimum as it pertains to addressing application security throughout their development process.

Major disconnect

According to Ed Adams, one of the more mind-boggling findings from the report is that 57% of organizations still do not have a basic SDLC in place (we’re not even talking about secure development lifecycle, just a basic run of the mill software dev model). He went on to discuss that it is “alarming that most organizations are not testing (or investing in) for application security especially given that the application layer is at greater risk as more new threats are targeting specifically the application layer.” The disconnect, between executive management and the “on the ground” security and development staff, only exacerbates the situation. Having IT executives espousing to other executives that all is peachy even when it’s not leads to a false sense of security that will undoubtedly be shattered.  

From Ponemon’s perspective, his big concern for security professionals should be addressing the disconnect gap. Clearly there is extensive filtering of information as it moves up the chain from rank and file. Often people are afraid to be the bearer of bad news and are afraid to tell their superiors the truth. He predicts the gap will worsen as “more and more disruptive technology is introduced into organizations, each bringing additional complexities. BYOD, new development languages, platforms (iOS and Android) each have their own security challenges.”

Both Ponemon and Adams agree that organizations are simply not doing enough in terms of updating their internal security training for developers. The root cause is that the vast majority of colleges and training grounds for developers do not teach secure coding, thus pushing the burden on to organizations. Until secure development methodologies and coding is taught to young developers whilst attending school, we will not see major improvement in this area.

Unless you’re a pyromaniac like the Roman emperor Nero, how can you as best fix this situation without watching your surroundings burn to the ground? A sad fact, but indicative of human nature, is that most of us are not compelled to change until some massive data breach or severe incident occurs. Unfortunately, negative events tend to be the major driver behind change (you didn’t stop eating those breakfast burritos until after you had a heart attack). This doesn’t mean that you should sit by idly and twiddle your thumbs, waiting for impending doom. Adams explained to me that there are three critical elements of high performing organizations (as it pertains to application security) that organizations should begin emulating:

  1. Define development standards and hold people accountable
  2. Continuous development training (both from a technology and role specific perspective)
  3. Define how to measure and assess success

Developers are creative people who do not like to be boxed in by rigid structure. So instead of approaching the developers with a “do this and not that” mindset, engage developers’ inquisitive side. Avoid forcing a security culture on them; instead, try meshing their culture with the hacker mindset. When developers can see how application vulnerabilities can be exploited and to what degree, they will be much more compelled to adopt secure coding practices compared to you handing them a tip sheet for how to code SQL securely.  

The final takeaway is for security pros to up the ante when it comes to ensuring that application security is included in the next budget. Many IT executives only pencil in perimeter protection threats-it has been such a staple of security spending for so long that a disproportionate amount of security spend goes towards it while application level security gets short shrift. The prevailing thought among many executives is that $1 dollar spent on anything security is good (it is incumbent on IT security teams to better educate their executives on how to better spend security’s limited dollars based on priority and threats). Detailing ROI metrics (which every business exec loves) can be difficult, but the key is to ensure that that a holistic approach is embraced.

I’d like to thank both Dr. Larry Ponemon and Ed Adams for their insight and taking the time to discuss their findings. The report is well worth the read for any IT professional (especially those with security or application development roles). This is one security gap that we must bridge. 


About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

4 comments
Sonatype
Sonatype

"57% of organizations still do not have a basic SDLC in place"

 That's a number we'd hope to see shrink dramatically in the next few years! More and more applications are being built using open source code and developers have to know that they can trust what they are using. Just because something is popular that does not automatically mean they are safe. Trying to go back in and make something secure just adds extra work to your team.

ahanse
ahanse

Yes OK but nothing really new..

People have been passing the buck up and down the chain for some time now and will continue for awhile yet. With so much at stake it is surprising that behaviour is still hanging around. The so called experts called consultants seem to take limited responsibility which should be factored into the mix.

I take umbrance to your take on developers. If they cannot code to a security pattern then kickem: because it is that free spirit that makes things hard for fellow developers to work with and well... You see the results... security style coding is number one in todays world and once they get it right the rest is a lot easier. The hackers, no matter how annoying they are, have a place in the scheme of things when sloppy work is let loose. Surrounding it with third party security measures is not sustainable. Regarding secure applications I cannot see a light at the end of the tunnel yet and wonder if it is at all possible. 

BTW: The so called teachers at are educational institutions are dinosaurs from the past when security was in its infancy so you will have to wait awhile yet.

mobilesite
mobilesite

Bridge the security gap. This is what we all want. However, securing mobile application is not that easy. Being a part of mobile app development industry, I am pretty aware about the vulnerability of mobile apps.

Editor's Picks