Current State of Application Security

A joint research study between Security Innovation and the Ponemon Institute

Overview

• Follow-up to last year’s study released by Ponemon Institute and Security Innovation entitled, Application Security Gap Study: A Survey of IT Security & Developers
• 642 IT professionals (both executive and engineering positions) were asked 20 questions concerning tools usage, development team knowledge and security best practices
• Objective was to better understand the maturity of an organization’s application security program in comparison to the core competencies of high-performing organizations
• Primary finding is that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes

Key Findings

• Most organizations do not have a defined software development process in place
• Most organizations are not testing for application security
• Policies and requirements are often ad-hoc and not integrated into the SDLC
• The majority of organizations do not have a formal application security training program
• Most development teams are not measured for compliance with regulations and standards
• Most organizations do not identify, measure, or understand application security risks
• Significant disconnect exists between executives and practitioners regarding perceived levels of application security maturity and activities