One of the most crucial things organizations can do to improve application security is to better coordinate AppSec methods and practices among developers, architects, and system administrators. This is the best approach to thwarting vulnerabilities rooted in configuration issues and third party components, according to The SANS Institute.
The firm’s 2016 State of Application Security: Skills, Configurations and Components report surveyed 475 security administrators and analysts, senior-level security managers, and security architects at companies of less than 1,000 up to enterprises with more than 10,000 employees. Industries surveyed included financial services, application development, healthcare, telecommunications, retail, and energy.
Perhaps not surprisingly, only 26 percent of those responding say their AppSec programs are fully mature as of 2016, which means there’s a lot of room for improvement, particularly when it comes to web apps. Publicly-facing web applications are the largest single source of network breaches and data loss at the surveyed organizations. (The next largest source of breaches is legacy applications, another area of concern for many companies.)
An AppSec Skills Shortage and Remediation Delays
The top challenges to improving application security programs cited by respondents were a lack of proper skills, tools, and methods (cited by 38 percent of respondents), lack of funding and management buy-in (cited by 37 percent), barriers between security, development, and business organizations (cited by 33 percent) and finding effective ways to identify all the apps in their portfolio (cited by 32 percent).
Additionally, the processes organizations use to address application vulnerabilities today are falling far short of expectations, according to SANS. Fewer than 30 percent of survey respondents said they were at least 75 percent satisfied with their current application security methods and processes. Just 26 percent of web app vulnerabilities are addressed within seven days of discovery, survey respondents said.
For organizations trying to address these challenges, several conclusions become clear. As SANS notes, “It takes a village to protect applications.” Skills shortages have been commonplace for many years in nearly all information security disciplines, so training and education programs are critically important to keep your team well-prepared to meet modern web app security threats such as SQL injection and cross-site scripting. And while you’re training these teams, they need to find new ways to work together to promote security across the entire SDLC.
“Successful AppSec programs are tightly integrated with development life-cycle and procurement processes. Currently, most AppSec programs are still new, and growing them will require sufficient resources. To leverage limited budgets for AppSec, it is critical for these programs to overcome silos so that communication among all stakeholders will be promoted,” the report concludes.
SANS’ other recommendations for improving web app security include:
- Evaluating the security of web apps in production
- Taking a close look at legacy applications to determine what risk they pose
- Implementing a continuous testing process
- Holding vendors responsible for AppSec through specific contract language
All these approaches are important steps to take to improve web app security in your organization. As attackers develop new and more sophisticated ways to leverage web app vulnerabilities, at IMMUNIO, we believe it makes sense to cultivate what we call “application defense in-depth” practices. Download our ebook to learn what’s necessary to mitigate threats to your apps that make it past the network perimeter before critical data is compromised.