2012 Study on Application Security

Transcripción

2012 Study on Application Security:
A Survey
S
off IT Security
S
it and
d Developers
D
l
Ed Adams, CEO
Security Innovation
Dr. Larry Ponemon
Ponemon Institute
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
Today’s webinar:
•
Text in questions using the Ask A Question button
•
All audio is streamed over your computer
– Having technical issues? Click the ? Button
•
Download the slide deck from the Event Home Page
•
No CPEs being offered for this event
•
Question or suggestion? Email them to [email protected]
2
Ponemon Institute LLC
•
The Institute is dedicated to advancing responsible information management
practices that p
p
positively
y affect p
privacy
y and data p
protection in business and
government.
•
The Institute conducts independent research, educates leaders from the private and
public sectors and verifies the privacy and data protection practices of organizations
organizations.
•
Ponemon Institute is a full member of CASRO (Council of American Survey Research
organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public
Affairs Committee of the Board.
•
The Institute has assembled more than 60+ leading multinational corporations called
the RIM Council, which focuses the development and execution of ethical principles
for the collection and use of personal data about people and households.
•
The majority of active participants are privacy or information security leaders.
3
About this research
•
This research was conducted to understand the perceptions both security
and development practitioners have about application security maturity
•
Key topics include:
– Adopted processes considered most effective
– Adoption and use of technologies that are affecting the state of
application security
– Gaps between people, process and technology and the affect they have
on the enterprise
– Different perceptions security and development practitioners have about
application maturity
maturity, readiness and accountability
– Threats to the application layer, including emerging platforms
– Application-layer links to data breaches
4
Respondent Statistics
Sample response
U.S. Sample frame
Returned surveys
Rejected surveys
Final sample
Response rate
Security
Developer
14,997
665
98
567
3.8%
6,962
301
45
256
3.7%
Ponemon Institute: Private and Confidential
5
Attributions about the maturity of IT
security activities
38%
Application security is a top priority in my organization
58%
Security technologies are adequate in protecting our information Security
technologies are adequate in protecting our information
assets and IT infrastructure
44%
54%
Security & data protection policies are well‐defined and fully understood by employees
37%
53%
39%
IT security strategy is fully aligned with the business strategy
y
gy
y g
gy
50%
Appropriate steps are taken to comply with the leading IT security standards
41%
48%
The IT security function is able to prevent serious cyber attacks such as advanced persistent threats
33%
46%
31%
IT security responds quickly to new challenges and issues
42%
The IT security leader is a member of the executive team
35%
IT security can hire and retain knowledgeable and experienced IT
security can hire and retain knowledgeable and experienced
security practitioners
35%
41%
40%
There are ample resources to ensure all IT security requirements are accomplished
34%
36%
0%
Developers
10%
20%
30%
40%
50%
60%
70%
Security
6
Key Themes
¾ Application security is often not a priority.
¾ There is uncertainty about how to fix vulnerable code in critical
applications.
¾ A lack of knowledge about application security is resulting in a high
rate of data breaches.
¾ A lack of accountability and discrepancy in priorities exists in many
enterprises.
¾ Mobile technology and social media platforms are putting
organizations at risk.
7
Application
A
li ti security
it is
i
often not a priority
p
y
8
Then what are organizations prioritizing?
And what does this mean?
79% of developers
have an ad-hoc,
p
or no process for building security
into applications.
64% of securityy personnel
have an adp
hoc, or no process for building security
into applications.
71% of developers feel
security is not addressed in
the SDLC.
51% of security personnel
feel security is not
addressed in the SDLC.
30% of developers build
security into the post-launch
phase.
feel code-induced threats
represent a greater threat
than the human factor.
9
Please choose one statement that best describes
securityy threats in yyour organization
g
today
y
41%
Human and code-induced threats are equal in
terms of inherent security risk
44%
21%
Human factor threats present a greater inherent
security risk than code-induced threats
43%
38%
Code-induced threats present a greater inherent
security risk than human factor threats
13%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Developer
Security
10
Does your organization have a process for ensuring that
security is built into new applications?
50%
46%
43%
45%
40%
36%
33%
35%
30%
25%
21%
21%
20%
15%
10%
5%
0%
Yes, we have a standardized
process
Yes, we have a non-standardized
or “ad hoc” process
Security
No, we don’t have a process
Developer
11
In your opinion, is security adequately emphasized
during
g the application
pp
development
p
lifecycle?
y
80%
71%
70%
60%
51%
49%
%
50%
40%
29%
30%
20%
10%
0%
Yes
Security
Developer
No
12
Where in the application development lifecycle
does your organization build in security features?
More
M
th
than one choice
h i permitted
itt d
35%
31%
30%
29%
30%
25%
21%
20%
19%
18%
17%
15%
13%
12%
10%
10%
5%
0%
Design phase
Development phase
Launch phase
Security
Post-launch phase
Unsure
Developer
13
There is
Th
i uncertainty
t i t about
b t how
h
tto
fix vulnerable code in critical
applications
li ti
14
Organizations can’t identify a starting point…
And are they looking at the other organization to get it done.
47% of developers state that there is
no formal mandate in place to
remediate vulnerable application
code.
29% of securityy personnel
state that
p
there is no formal mandate in place to
remediate vulnerable application code.
51% of developers have no
training in application
security.
have no training in
application security.
54% of developers feel
fixing bugs/patching
applications is a drain on
their company’s time and
budget
budget.
say the major attack
methodology in breaches
over the past 24 months is
SQL injection
injection..
15
How does your organization mandate the
remediation of vulnerable code?
O best
One
b t choice
h i
47%
No formal mandate to remediate vulnerable code
exists
29%
It’s driven through the security organization, where
the development organization remediates according
to best practices
9%
28%
19%
21%
Development or engineering drives the process
without any mandate from security
Compliance mandates drive the process and the
risk group is responsible for pushing the directive
down to security and development teams
13%
11%
5%
6%
External auditors provide the mandate, which then
gets pushed down through the corporate risk group
7%
5%
Other (please specify)
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Developer
S
Security
16
Has your organization deployed a training
program
p
g
on application
pp
security?
y
40%
37%
36%
37%
35%
30%
25%
23%
22%
20%
15%
15%
14%
11%
10%
4%
5%
1%
0%
Yes, fully deployed
Yes, partially
deployed
No, but we plan to
deploy in the next 12
to 24 months
Security
No
Unsure
Developer
17
What does your development team use to ensure they are
successful in remediating potentially vulnerable code or fixing bugs?
More than one choice permitted
p
51%
46%
49%
45%
Homegrown solution
Training or education as needed
23%
24%
Static analysis solution
16%
18%
15%
18%
15%
14%
A bug
b ttracking/de-bugging
ki /d b
i ttooll
An IDE system (Integrated Development…
Dynamic analysis solution
4%
5%
Wikipedia as a reference
5%
Google as a reference
5%
0%
Developer
12%
13%
10%
20%
30%
40%
50%
60%
Security
18
What type of attack methods may have compromised your
organization’s data in a recent breach or security exploit?
42%
SQL injection attack at the application layer
46%
29%
Exploit of insecure code through use of a Web 2.0 application
24%
25%
23%
Cross-site scripting attack at the application layer
18%
17%
Privilege escalation attack at the application layer
19%
Exploit of insecure software code on a mobile device
13%
5%
Other attack methodology at the application layer
8%
17%
19%
Unsure
0%
5%
Developer
10%
15%
20%
25%
30%
35%
40%
45%
50%
Security
19
A llack
k off kknowledge
l d about
b t
application security is resulting
i a hi
in
high
h rate
t off d
data
t b
breaches
h
20
Breaches continue to happen at the application level.
Yet budget prioritization leans toward the network…
Two-thirds of developers have
experienced between 1
10 breaches
1-10
in the past 24 months due to
insecure applications.
Half of security personnel state
experienced between 1
10 breaches
1-10
in the past 24 months due to insecure
applications.
.
15% of developers feel all of
their organization’s
applications meet security
regulations.
l ti
feel all of their
organization’s applications
meett security
it regulations.
l ti
16% of developers don’t
don t
know if a breach has even
occurred within their
organization at the
application layer
layer.
don’t know if a breach has
even occurred within their
organization at the
application layer
layer.
21
How often over the past 24 months has your organization
experienced a data breach or security exploit as a result of
an application being compromised or hacked?
45%
40%
40%
35%
34%
32%
30%
25%
19%
20%
19%
16%
16%
15%
11%
9%
10%
4%
5%
0%
Zero (0)
1 to 5
6 to 10
Security
More than 10
Unsure
Developer
22
To the best of your knowledge, are your organization’s
applications compliant with all regulations for privacy, data
protection and information security?
50%
45%
45%
40%
37%
34%
35%
32%
30%
25%
20%
15%
15%
12%
11%
11%
10%
5%
2%
1%
0%
Yes, for all
applications
Yes, for most
applications
Yes, but only for
some applications
Securityy
No
Unsure
Developer
p
23
What percentage of your IT security budget is dedicated to
application security measures or activities?
45%
40%
38%
39%
35%
30%
25%
25%
24%
20%
16%
15%
15%
11%
12%
10%
8%
7%
5%
2%
3%
0%
Less than 10%
11 to 20%
21 to 30%
Security
31 to 40%
41 to 50%
More than 50%
Developer
24
Please choose one statement that best describes
securityy priorities
p
in yyour organization
g
today.
y
50%
44%
45%
39%
38%
40%
34%
35%
30%
25%
22%
23%
20%
15%
10%
5%
0%
Network security is a lower priority
Network security is a higher
than application security
priority than application security
Security
Network security and application
security are equal in terms of
security priorities
Developer
25
A llack
k off accountability
t bilit and
da
discrepancy in priorities exists
i many enterprises
in
t
i
26
Software security lives in a silo organizationally.
And no one wants to own it…
44% of developers say there is no
collaboration between the
development organization and the
security organization.
36% security personnel state there’s
at least some collaboration between
the development organization and the
security organization.
.
42% of developers say that
no one person owns
security in the SDLC.
28% of security
professionals feel the CISO
should bear the ultimate
responsibility for application
security.
37% of developers build
security into the design or
development phase of the
SDLC.
say that security is built into
the design or development
phase of the SDLC.
27
What best describes the nature of collaboration between your
organization’s application development and security teams?
50%
%
44%
45%
40%
36%
33%
35%
28%
30%
25%
19%
20%
15%
10%
19%
12%
9%
5%
0%
Significant collaboration
Some collaboration
Security
Limited collaboration
No collaboration
Developer
28
Who in your organization is most responsible for ensuring
security in the application development lifecycle?
45%
42%
40%
35%
30%
28%
25%
20%
20%
26%
22%
20%
14%
15%
11%
8%
10%
6%
5%
1%
2%
0%
CIO
CISO
Head of
application
development
Security
Head of quality No one person
assurance
has overall
responsibility
Other (please
specify)
Developer
29
Mobile
M
bil ttechnology
h l
and
d social
i l
media platforms put
organizations
i ti
att risk
i k
30
We haven’t wanted to admit it, but mobile and social media
apps are here to stay…and we better plan ahead!!
47% of developers say the most
serious emerging threat relative to
application security is Web 2.0 or
social media applications.
46% security personnel say the most
serious emerging threat relative to
application security is Web 2.0 or
social media applications.
.
29% of developers say Web
2.0 social media apps were
the 2nd highest root cause of
data breaches next to SQL
injection.
24% of security pros say
Web 2.0 social media apps
were the 2nd highest root
cause of data breaches next
to SQL injection.
65% of developers do not
test mobile applications in
production, development or
Q/A processes.
do not test mobile
applications in production,
development or Q/A
processes
processes.
31
What do you see as the two most serious emerging threat
relative to application security over the next 12 to 24 months?
39%
Insecure mobile applications
30%
33%
Attacker infiltration through Web 2.0 applications
30%
14%
16%
Social media applications
6%
Hybrid mobile platform/Web 2.0 software
vulnerabilities
12%
7%
Continuance of web applications
10%
1%
3%
0%
5%
Developer
10% 15% 20% 25% 30% 35% 40% 45%
Security
32
Following are three scenarios about attacks that
mayy significantly
g
y impact
p
yyour organization.
g
51%
Attacks through insecure mobile applications will
significantly disrupt business operations within my
organization
40%
42%
Attacks through insecure applications will significantly
disrupt business operations within my organization
33%
26%
Attacks through an insecure network will significantly
disrupt
p business operations
p
within my
y organization
g
31%
0%
Developer
10%
20%
30%
40%
50%
60%
Security
33
What type of attack methods may have compromised your
organization’s data in a recent breach or security exploit?
42%
SQL injection attack at the application layer
46%
Exploit of insecure code through use of a Web 2.0
application
29%
24%
25%
23%
Cross-site scripting attack at the application layer
18%
17%
Privilege escalation attack at the application layer
19%
Exploit of insecure software code on a mobile device
13%
5%
Other attack methodology at the application layer
8%
17%
19%
Unsure
0%
5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
De eloper
Developer
Sec rit
Security
34
Does your organization test mobile apps in the
following venues?
More
M
th
than one choice
h i permitted
itt d
70%
65%
60%
60%
50%
40%
33%
30%
25%
20%
12%
16%
14%
14%
10%
0%
Production
Development
Security
Testing and quality
assurance
None of the above
Developer
35
Questions
36
Contact Information
Ponemon Institute
www.ponemon.org
T l 231
Tel:
231.938.9900
938 9900
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N. Traverse City,
MI 49686 USA
[email protected]
37
Thank You!
Ed Adams, CEO
Security Innovation
@
y
[email protected]
Pre-register for the report at:
htt //
http://www.securityinnovation.com/securityit i
ti
/
it
lab/research.html
Or contact sales at: [email protected]
38
Thank you!

2012 Study on Application Security

Transcripción

Documentos relacionados

SOHO Routers: From Internet of Things to Insecurity of Things

Current Projects - Pocket Neighborhoods