How much does a typical organization know about the security of the applications it runs? That's the core question that a new Ponemon Institute study sponsored by IBM tries to answer.
According to the study titled "How to Make Application Security a Strategically Managed Discipline," 35 percent of organizations don't use any major application security testing methods for application vulnerabilities.
"Given increasing attention to security across the board, the speed at which the app landscape is growing and how much risk they can introduce, the fact that 35 percent of organizations are performing no app testing is still alarming," Diana Kelley, executive security advisor, IBM Security, told eSecurityPlanet. "Also, most companies are not performing all three major app sec testing methods: static, dynamic, interactive."
While testing apps is the first step, almost half of the respondents said their organization doesn't actually take steps to remediate the risks associated with vulnerable applications, meaning there is still a huge gap when it comes to companies securing their application infrastructure, Kelley added.
Application Security's Visibility Issue
Going a step further, 67 percent of organizations reported that that they have no visibility into the overall state of application security. The rush-to-release mandate in many organizations is one reason why application security is somewhat lacking, the survey found. Fifty-six percent of respondents noted they are under organizational pressure to release applications quickly.
"Compounding this issue is that as companies are deploying new apps into their enterprise faster than ever, they are struggling to even keep tabs on the apps they currently use, let alone secure them," Kelley said. "An astounding 69 percent of respondents confessed they do not know all of the apps and databases currently active within their organizations."
Without this crucial visibility, she said, the resulting strategy quickly becomes a game of whack-a-mole. To solve the problem, organizations need to move to a risk-based approach to security, where they first assess the full scope of their application security preparedness, then begin the necessary process of prioritization, and, ultimately, remediation.
"In the survey, only 15 percent said they have achieved a level of maturity in their application security risk management process by having a formal process applied consistently across the enterprise," Kelley said.
DevOps and Application Security
The DevOps concept, which calls for an integrated development and operations workflow, is rapidly taking hold. The DevOps model could well hold the key to helping improve application security. Bringing a greater level of security closer to the DevOps model is key to transforming app security; today's threat landscape requires security to be ingrained throughout the entire process.
"Ultimately, the goal should be to bring security checks closer to the developer for faster feedback and quicker resolutions," Kelley said. "Just as operations and testing have increasingly been embedded into the development process and taught developers stronger testing practices, security professionals need to focus on bringing security into the DevOps process as well."
For more on application security, check out eSecurity Planet contributor Nazar Tymoshyk's 14-step plan for boosting application security. In another article, he offers good advice on selecting the right security testing tools.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.