A new Ponemon Institute and WhiteSource report on application security indicates that most large enterprise-scale organizations feel that their portfolio of applications has become more vulnerable recently. Respondents are struggling more with monitoring, detecting and preventing attacks and report that it is the norm for development and security teams to have little to no communication with each other.
Application security headed in the wrong direction?
The report, entitled ‘Reducing Enterprise Application Security Risks: More Work Needs to Be Done’, surveyed 634 IT and security practitioners and compared the results to a similar survey taken in 2015. The majority of participants were drawn from organizations that have a headcount of over 5,000.
The leading takeaway is that 71% of organizations say that their application portfolio is more vulnerable than it was a year ago. 63% say that it is difficult to reduce the risk to applications because they are not able to monitor and prevent attacks at the application level. These numbers are actually small improvements from the responses taken in 2015, but are headed in the wrong direction as compared to 2019.
Why are business-critical applications at risk? The issues start with development. 65% of respondents say that there is limited to no collaboration between the development and security teams, and 50% say that security is not adequately emphasized during the design process. 58% of respondents say it takes too long to patch applications that are in production, with the process running anywhere from days to months. And 57% say that they are not capable of quickly detecting vulnerabilities and threats.
This is not just a recent development; organizations have been de-emphasizing security in development since 2015. The survey finds that the amount of organizations building security features into applications dropped from 32% to 21% in five years. A policy of emphasizing security during development remains fairly steady but was never high to begin with; 39% of organizations said they did this in 2015, with a slight increase to 43% in 2020.
The report also points out that application security risks are rising disproportionately to other types of vulnerabilities. One factor is a substantial increase in the raw amount of apps in use. The organizations surveyed averaged 2,672 applications across the entire business with about 30% of these considered to be mission critical. Organizations have increased the priority level of app protection as these numbers have grown, even if it is not necessarily happening at the design phase; the number considering application security a top objective grew from 45% in 2015 to 59% in 2020.
The most common form of application security in use is external pen tests (53%). A slightly smaller number of organizations make use of either DAST, WAF, RASP or internal pen testing (or some combination thereof). But detection of vulnerabilities while in production mode remains a serious challenge. 11% now say that detection takes months, 13% say it takes weeks and 34% say it takes a matter of days.
Spending on application security also lags behind some other areas, namely network (which generally gets more than double the budget) and endpoint security. This is in spite of respondents assigning a relatively high risk score to applications as compared to areas that receive more money.
Improvements needed for secure software development
The study concludes with some data that points to ways to shore up application security. One issue is that the Secure Software Development Life Cycle (SSDLC) process tends to be inconsistent and/or unstructured. While this was slightly more than double the 2015 number, only 33% of organizations are currently describing their SSDLC as “formal, structured and consistent.” 20% say that they have a formal and structured approach but do not have enterprise-wide consistency. 26% describe it as “informal” and 17% describe it as “ad hoc.”
Also, most organizations (30%) wait until the post-launch phase to begin building security features into apps. Most fall in the middle of the development process somewhere, with only 21% addressing it in the design phase (a 14% reduction from 2015).
The leading reason for finding it difficult to remediate application security vulnerabilities is an inability to quickly patch apps that are in production, followed by inability to quickly detect vulnerabilities/threats and a lack of enabling security tools or qualified personnel. In terms of current application security solutions, 60% of respondents said they were too slow to remediate vulnerabilities. 55% felt they were overly complex, 51% had interoperability issues and 50% experienced a high false positive rate. 47% said that these solutions were presently too costly, but only 19% had complaints about vendor support.
While some of the data points to small improvements in the state of application security as compared to five years ago, it is not enough to keep pace with an attack landscape made up of polymorphic threats directed against an increasing number of remote work-related targets. With a total of 80% of organizations reporting that there is only limited interface (at best) between security and development teams, improved internal communication as regards application development would appear to be the place to start.