Current State of Application Security
A joint research study between Security Innovation and the Ponemon Institute
Overview
- Follow-up to last year’s study released by Ponemon Institute and Security Innovation entitled, Application Security Gap Study: A Survey of IT Security & Developers
- 642 IT professionals (both executive and engineering positions) were asked 20 questions concerning tools usage, development team knowledge and security best practices
- Objective was to better understand the maturity of an organization’s application security program in comparison to the core competencies of high-performing organizations
- Primary finding is that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes
Key Findings
- Most organizations do not have a defined software development process in place
- Most organizations are not testing for application security
- Policies and requirements are often ad-hoc and not integrated into the SDLC
- The majority of organizations do not have a formal application security training program
- Most development teams are not measured for compliance with regulations and standards
- Most organizations do not identify, measure, or understand application security risks
- Significant disconnect exists between executives and practitioners regarding perceived levels of application security maturity and activities