2012 Study on Application Security
Transcripción
2012 Study on Application Security
2012 Study on Application Security: A Survey S off IT Security S it and d Developers D l Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. Today’s webinar: • Text in questions using the Ask A Question button • All audio is streamed over your computer – Having technical issues? Click the ? Button • Download the slide deck from the Event Home Page • No CPEs being offered for this event • Question or suggestion? Email them to [email protected] 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2 Ponemon Institute LLC • The Institute is dedicated to advancing responsible information management practices that p p positively y affect p privacy y and data p protection in business and government. • The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations organizations. • Ponemon Institute is a full member of CASRO (Council of American Survey Research organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board. • The Institute has assembled more than 60+ leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households. • The majority of active participants are privacy or information security leaders. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 3 About this research • This research was conducted to understand the perceptions both security and development practitioners have about application security maturity • Key topics include: – Adopted processes considered most effective – Adoption and use of technologies that are affecting the state of application security – Gaps between people, process and technology and the affect they have on the enterprise – Different perceptions security and development practitioners have about application maturity maturity, readiness and accountability – Threats to the application layer, including emerging platforms – Application-layer links to data breaches 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 4 Respondent Statistics Sample response U.S. Sample frame Returned surveys Rejected surveys Final sample Response rate Security Developer 14,997 665 98 567 3.8% 6,962 301 45 256 3.7% Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 5 Attributions about the maturity of IT security activities 38% Application security is a top priority in my organization 58% Security technologies are adequate in protecting our information Security technologies are adequate in protecting our information assets and IT infrastructure 44% 54% Security & data protection policies are well‐defined and fully understood by employees 37% 53% 39% IT security strategy is fully aligned with the business strategy y gy y g gy 50% Appropriate steps are taken to comply with the leading IT security standards 41% 48% The IT security function is able to prevent serious cyber attacks such as advanced persistent threats 33% 46% 31% IT security responds quickly to new challenges and issues 42% The IT security leader is a member of the executive team 35% IT security can hire and retain knowledgeable and experienced IT security can hire and retain knowledgeable and experienced security practitioners 35% 41% 40% There are ample resources to ensure all IT security requirements are accomplished 34% 36% 0% Developers 10% 20% 30% 40% 50% 60% 70% Security Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 6 Key Themes ¾ Application security is often not a priority. ¾ There is uncertainty about how to fix vulnerable code in critical applications. ¾ A lack of knowledge about application security is resulting in a high rate of data breaches. ¾ A lack of accountability and discrepancy in priorities exists in many enterprises. ¾ Mobile technology and social media platforms are putting organizations at risk. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 7 Application A li ti security it is i often not a priority p y 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 8 Then what are organizations prioritizing? And what does this mean? 79% of developers have an ad-hoc, p or no process for building security into applications. 64% of securityy personnel have an adp hoc, or no process for building security into applications. 71% of developers feel security is not addressed in the SDLC. 51% of security personnel feel security is not addressed in the SDLC. 30% of developers build security into the post-launch phase. 13% of security personnel feel code-induced threats represent a greater threat than the human factor. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 9 Please choose one statement that best describes securityy threats in yyour organization g today y 41% Human and code-induced threats are equal in terms of inherent security risk 44% 21% Human factor threats present a greater inherent security risk than code-induced threats 43% 38% Code-induced threats present a greater inherent security risk than human factor threats 13% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Developer Security Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 10 Does your organization have a process for ensuring that security is built into new applications? 50% 46% 43% 45% 40% 36% 33% 35% 30% 25% 21% 21% 20% 15% 10% 5% 0% Yes, we have a standardized process Yes, we have a non-standardized or “ad hoc” process Security No, we don’t have a process Developer Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 11 In your opinion, is security adequately emphasized during g the application pp development p lifecycle? y 80% 71% 70% 60% 51% 49% % 50% 40% 29% 30% 20% 10% 0% Yes Security Developer No Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 12 Where in the application development lifecycle does your organization build in security features? More M th than one choice h i permitted itt d 35% 31% 30% 29% 30% 25% 21% 20% 19% 18% 17% 15% 13% 12% 10% 10% 5% 0% Design phase Development phase Launch phase Security Post-launch phase Unsure Developer Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 13 There is Th i uncertainty t i t about b t how h tto fix vulnerable code in critical applications li ti 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 14 Organizations can’t identify a starting point… And are they looking at the other organization to get it done. 47% of developers state that there is no formal mandate in place to remediate vulnerable application code. 29% of securityy personnel state that p there is no formal mandate in place to remediate vulnerable application code. 51% of developers have no training in application security. 51% of security personnel have no training in application security. 54% of developers feel fixing bugs/patching applications is a drain on their company’s time and budget budget. 46% of security personnel say the major attack methodology in breaches over the past 24 months is SQL injection injection.. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 15 How does your organization mandate the remediation of vulnerable code? O best One b t choice h i 47% No formal mandate to remediate vulnerable code exists 29% It’s driven through the security organization, where the development organization remediates according to best practices 9% 28% 19% 21% Development or engineering drives the process without any mandate from security Compliance mandates drive the process and the risk group is responsible for pushing the directive down to security and development teams 13% 11% 5% 6% External auditors provide the mandate, which then gets pushed down through the corporate risk group 7% 5% Other (please specify) 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Developer S Security Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 16 Has your organization deployed a training program p g on application pp security? y 40% 37% 36% 37% 35% 30% 25% 23% 22% 20% 15% 15% 14% 11% 10% 4% 5% 1% 0% Yes, fully deployed Yes, partially deployed No, but we plan to deploy in the next 12 to 24 months Security No Unsure Developer Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 17 What does your development team use to ensure they are successful in remediating potentially vulnerable code or fixing bugs? More than one choice permitted p 51% 46% 49% 45% Homegrown solution Training or education as needed 23% 24% Static analysis solution 16% 18% 15% 18% 15% 14% A bug b ttracking/de-bugging ki /d b i ttooll An IDE system (Integrated Development… Dynamic analysis solution Other (please specify) 4% 5% Wikipedia as a reference 5% Google as a reference 5% 0% Developer 12% 13% 10% 20% 30% 40% 50% 60% Security Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 18 What type of attack methods may have compromised your organization’s data in a recent breach or security exploit? More than one choice permitted 42% SQL injection attack at the application layer 46% 29% Exploit of insecure code through use of a Web 2.0 application 24% 25% 23% Cross-site scripting attack at the application layer 18% 17% Privilege escalation attack at the application layer 19% Exploit of insecure software code on a mobile device 13% 5% Other attack methodology at the application layer 8% 17% 19% Unsure 0% 5% Developer 10% 15% 20% 25% 30% 35% 40% 45% 50% Security Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 19 A llack k off kknowledge l d about b t application security is resulting i a hi in high h rate t off d data t b breaches h 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 20 Breaches continue to happen at the application level. Yet budget prioritization leans toward the network… Two-thirds of developers have experienced between 1 10 breaches 1-10 in the past 24 months due to insecure applications. Half of security personnel state experienced between 1 10 breaches 1-10 in the past 24 months due to insecure applications. . 15% of developers feel all of their organization’s applications meet security regulations. l ti 12% of security personnel feel all of their organization’s applications meett security it regulations. l ti 16% of developers don’t don t know if a breach has even occurred within their organization at the application layer layer. 19% of security personnel don’t know if a breach has even occurred within their organization at the application layer layer. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 21 How often over the past 24 months has your organization experienced a data breach or security exploit as a result of an application being compromised or hacked? 45% 40% 40% 35% 34% 32% 30% 25% 19% 20% 19% 16% 16% 15% 11% 9% 10% 4% 5% 0% Zero (0) 1 to 5 6 to 10 Security More than 10 Unsure Developer Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 22 To the best of your knowledge, are your organization’s applications compliant with all regulations for privacy, data protection and information security? 50% 45% 45% 40% 37% 34% 35% 32% 30% 25% 20% 15% 15% 12% 11% 11% 10% 5% 2% 1% 0% Yes, for all applications Yes, for most applications Yes, but only for some applications Securityy No Unsure Developer p Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 23 What percentage of your IT security budget is dedicated to application security measures or activities? 45% 40% 38% 39% 35% 30% 25% 25% 24% 20% 16% 15% 15% 11% 12% 10% 8% 7% 5% 2% 3% 0% Less than 10% 11 to 20% 21 to 30% Security 31 to 40% 41 to 50% More than 50% Developer Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 24 Please choose one statement that best describes securityy priorities p in yyour organization g today. y 50% 44% 45% 39% 38% 40% 34% 35% 30% 25% 22% 23% 20% 15% 10% 5% 0% Network security is a lower priority Network security is a higher than application security priority than application security Security Network security and application security are equal in terms of security priorities Developer Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 25 A llack k off accountability t bilit and da discrepancy in priorities exists i many enterprises in t i 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 26 Software security lives in a silo organizationally. And no one wants to own it… 44% of developers say there is no collaboration between the development organization and the security organization. 36% security personnel state there’s at least some collaboration between the development organization and the security organization. . 42% of developers say that no one person owns security in the SDLC. 28% of security professionals feel the CISO should bear the ultimate responsibility for application security. 37% of developers build security into the design or development phase of the SDLC. 60% of security personnel say that security is built into the design or development phase of the SDLC. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 27 What best describes the nature of collaboration between your organization’s application development and security teams? 50% % 44% 45% 40% 36% 33% 35% 28% 30% 25% 19% 20% 15% 10% 19% 12% 9% 5% 0% Significant collaboration Some collaboration Security Limited collaboration No collaboration Developer Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 28 Who in your organization is most responsible for ensuring security in the application development lifecycle? 45% 42% 40% 35% 30% 28% 25% 20% 20% 26% 22% 20% 14% 15% 11% 8% 10% 6% 5% 1% 2% 0% CIO CISO Head of application development Security Head of quality No one person assurance has overall responsibility Other (please specify) Developer Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 29 Mobile M bil ttechnology h l and d social i l media platforms put organizations i ti att risk i k 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 30 We haven’t wanted to admit it, but mobile and social media apps are here to stay…and we better plan ahead!! 47% of developers say the most serious emerging threat relative to application security is Web 2.0 or social media applications. 46% security personnel say the most serious emerging threat relative to application security is Web 2.0 or social media applications. . 29% of developers say Web 2.0 social media apps were the 2nd highest root cause of data breaches next to SQL injection. 24% of security pros say Web 2.0 social media apps were the 2nd highest root cause of data breaches next to SQL injection. 65% of developers do not test mobile applications in production, development or Q/A processes. 60% of security personnel do not test mobile applications in production, development or Q/A processes processes. 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 31 What do you see as the two most serious emerging threat relative to application security over the next 12 to 24 months? 39% Insecure mobile applications 30% 33% Attacker infiltration through Web 2.0 applications 30% 14% 16% Social media applications 6% Hybrid mobile platform/Web 2.0 software vulnerabilities 12% 7% Continuance of web applications 10% 1% 3% Other (please specify) 0% 5% Developer 10% 15% 20% 25% 30% 35% 40% 45% Security Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 32 Following are three scenarios about attacks that mayy significantly g y impact p yyour organization. g 51% Attacks through insecure mobile applications will significantly disrupt business operations within my organization 40% 42% Attacks through insecure applications will significantly disrupt business operations within my organization 33% 26% Attacks through an insecure network will significantly disrupt p business operations p within my y organization g 31% 0% Developer 10% 20% 30% 40% 50% 60% Security Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 33 What type of attack methods may have compromised your organization’s data in a recent breach or security exploit? More than one choice permitted 42% SQL injection attack at the application layer 46% Exploit of insecure code through use of a Web 2.0 application 29% 24% 25% 23% Cross-site scripting attack at the application layer 18% 17% Privilege escalation attack at the application layer 19% Exploit of insecure software code on a mobile device 13% 5% Other attack methodology at the application layer 8% 17% 19% Unsure 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% De eloper Developer Sec rit Security Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 34 Does your organization test mobile apps in the following venues? More M th than one choice h i permitted itt d 70% 65% 60% 60% 50% 40% 33% 30% 25% 20% 12% 16% 14% 14% 10% 0% Production Development Security Testing and quality assurance None of the above Developer Ponemon Institute: Private and Confidential 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 35 Questions 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 36 Contact Information Ponemon Institute www.ponemon.org T l 231 Tel: 231.938.9900 938 9900 Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA [email protected] 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 37 Thank You! Ed Adams, CEO Security Innovation @ y [email protected] Pre-register for the report at: htt // http://www.securityinnovation.com/securityit i ti / it lab/research.html Or contact sales at: [email protected] 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 38 Thank you! 2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.