Current State of Application Security

A joint research study between Security Innovation and the Ponemon Institute


  • Follow-up to last year’s study released by Ponemon Institute and Security Innovation entitled, Application Security Gap Study: A Survey of IT Security & Developers
  • 642 IT professionals (both executive and engineering positions) were asked 20 questions concerning tools usage, development team knowledge and security best practices
  • Objective was to better understand the maturity of an organization’s application security program in comparison to the core competencies of high-performing organizations
  • Primary finding is that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes

Key Findings

  • Most organizations do not have a defined software development process in place
  • Most organizations are not testing for application security
  • Policies and requirements are often ad-hoc and not integrated into the SDLC
  • The majority of organizations do not have a formal application security training program
  • Most development teams are not measured for compliance with regulations and standards
  • Most organizations do not identify, measure, or understand application security risks
  • Significant disconnect exists between executives and practitioners regarding perceived levels of application security maturity and activities