Application security survey at RSA: The good, the bad, and the ugly

Our RSA 2019 survey on the state of application security collected dozens of responses and highlighted some notable trends. Take a look at what we found out.

Application security is a priority—a high priority. That’s the top takeaway from a survey we conducted at RSA Conference in San Francisco last month.

Of course, RSA is a security conference, so that might seem like a given. But it was clear from the responses of 87 security professionals in a wide range of industries that they aren’t just talking about application security—they’re doing it. Read on for our analysis, or download the infographic.

The good

Nearly 92% said their organizations have a dedicated internal or third-party application security team initiative, or a combination of the two—about the same as last year. Only 8% reported no formal application security program in place.

There was good news in several other areas as well. They include:

Training. The percentage of organizations with security training programs for developers, all employees, or both groups, is nearing 90%. That’s a sign that more organizations are accepting awareness training as an effective way to create a corporate culture of security. Just 14% report having no cyber security training program.

The only downside to those numbers is that the 14% with no training program is a slight increase from 2018, when it was just 12%.

The cloud. The move to the cloud continues. A survey last year by Druva, a cloud data management and security company, found that moving virtualized workloads to the cloud is either a reality or a near-term goal for an overwhelming majority (90%) of 170 organizations it surveyed.

The good news is that there’s a corresponding increase in focus on cloud security. The percentage of those with a “distinct, specialized approach” to securing their cloud deployments took a significant jump from last year—from 58% to 72%.

Lessons learned. The increase in cloud security initiatives was especially pronounced among organizations that had been attacked—from 59% to 81%. Clearly, getting burned motivated organizations to make security more of a priority. Everybody makes mistakes. But learning from them can make an organization stronger.

Putting the customer first. Securing customer data has been an ongoing high priority, but the percentage considering it critical increased from 68% to 72%.

The bad

Of course, not all the news on the security front is good. If it were, there would be no need for security conferences. Some of it even qualifies as bad:

Under attack. More than a third (37%) of respondents said their organizations had been targeted by a cyber attack within the past two years. Of the remainder, 40% said they had not been attacked, and 23% said they didn’t know.

Roadblocks. Nearly a third of respondents (32%) said the lack of skilled security professionals hampers their application security initiatives. Lower on the list were budget constraints (20%) and a lack of executive leadership (8%).

Risky business. Any organization that depends on software—and virtually all do—is in the risk-mitigation business. But not all risks are the same, or equal. According to respondents, the highest security risks to their organizations came from customer-facing web applications (49%) and internal business applications (22%). They were much less concerned about mobile apps (15%) and embedded systems/IoT devices (14%).

Vulnerability management

That diversity of risk extends to organizations in general. Every organization has a different risk profile. A high security risk at one might not even be a factor at another. But some trends are significant. Asked what type of vulnerability presents the highest risk to their organizations, the percentage of those who cited proprietary code developed in-house dropped from 36% in 2018 to 31% this year. But when it came to open source software components included in applications they develop or use, the trend was the opposite—it went from 22% in 2018 to 31% this year.

That is likely an indication of the ubiquity of open source, which appears in an estimated 99% of applications with more than 1,000 files.

There was less concern with proprietary code developed by a third party (22%), misconfiguration vulnerabilities in cloud or containerized applications (15%), and chip-level flaws or vulnerabilities (1%).

The ugly

Finally, the ugly: According to the survey, 40% of respondents (up from 28% last year) said the most significant roadblock to implementing application security programs was their impact on agility and speed of application development or deployment.

In short, the perception is that security testing slows application development down.

But the silver lining is, that perception is a misperception.

There are now platforms available that offer multiple tools and services to “build security in” throughout the SDLC without slowing developers down. The reality is, with the right tools, you don’t have to sacrifice speed for security.

Which is the really good news behind an ugly survey result. It’s just that a significant number of organizations still need to hear about it.

Ready to get started?

Read The CISO’s Ultimate Guide to Securing Applications

*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Taylor Armerding. Read the original post at: