DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. The State of Application Security: Silos and IT Skills Shortages

The State of Application Security: Silos and IT Skills Shortages

One of the most crucial things organizations can do to improve application security is to better coordinate AppSec methods and practices.

Oliver Lavery user avatar by
Oliver Lavery
·
Aug. 20, 16 · Analysis
Like (1)
Save
Tweet
Share
6.85K Views

Join the DZone community and get the full member experience.

Join For Free

url.pngOne of the most crucial things organizations can do to improve application security is to better coordinate AppSec methods and practices among developers, architects, and system administrators. This is the best approach to thwarting vulnerabilities rooted in configuration issues and third party components, according to The SANS Institute.

The firm’s 2016 State of Application Security: Skills, Configurations and Components report surveyed 475 security administrators and analysts, senior-level security managers, and security architects at companies of less than 1,000 up to enterprises with more than 10,000 employees. Industries surveyed included financial services, application development, healthcare, telecommunications, retail, and energy.

Perhaps not surprisingly, only 26 percent of those responding say their AppSec programs are fully mature as of 2016, which means there’s a lot of room for improvement, particularly when it comes to web apps. Publicly-facing web applications are the largest single source of network breaches and data loss at the surveyed organizations. (The next largest source of breaches is legacy applications, another area of concern for many companies.)

An AppSec Skills Shortage and Remediation Delays

The top challenges to improving application security programs cited by respondents were a lack of proper skills, tools, and methods (cited by 38 percent of respondents), lack of funding and management buy-in (cited by 37 percent), barriers between security, development, and business organizations (cited by 33 percent) and finding effective ways to identify all the apps in their portfolio (cited by 32 percent).

Additionally, the processes organizations use to address application vulnerabilities today are falling far short of expectations, according to SANS. Fewer than 30 percent of survey respondents said they were at least 75 percent satisfied with their current application security methods and processes. Just 26 percent of web app vulnerabilities are addressed within seven days of discovery, survey respondents said.

For organizations trying to address these challenges, several conclusions become clear. As SANS notes, “It takes a village to protect applications.” Skills shortages have been commonplace for many years in nearly all information security disciplines, so training and education programs are critically important to keep your team well-prepared to meet modern web app security threats such as SQL injection and cross-site scripting. And while you’re training these teams, they need to find new ways to work together to promote security across the entire SDLC.

“Successful AppSec programs are tightly integrated with development life-cycle and procurement processes. Currently, most AppSec programs are still new, and growing them will require sufficient resources. To leverage limited budgets for AppSec, it is critical for these programs to overcome silos so that communication among all stakeholders will be promoted,” the report concludes.

SANS’ other recommendations for improving web app security include:

  • Evaluating the security of web apps in production
  • Taking a close look at legacy applications to determine what risk they pose
  • Implementing a continuous testing process
  • Holding vendors responsible for AppSec through specific contract language

All these approaches are important steps to take to improve web app security in your organization. As attackers develop new and more sophisticated ways to leverage web app vulnerabilities, at IMMUNIO, we believe it makes sense to cultivate what we call “application defense in-depth” practices. Download our ebook to learn what’s necessary to mitigate threats to your apps that make it past the network perimeter before critical data is compromised.

Application security Information security IT app Web Service

Published at DZone with permission of Oliver Lavery, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Microservices Discovery With Eureka
  • 7 Awesome Libraries for Java Unit and Integration Testing
  • Deploying Java Serverless Functions as AWS Lambda
  • Bye Bye, Regular Dev [Comic]

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: