In this Security Report Analysis (SRA) series I look at various security reports and pull out the main points.
This doesn’t replace a complete and detailed read of these reports, but at least you’ll get exposed to some of the key takeaways that you might not otherwise have seen.
[ NOTE: These points are a combination of the report’s actual content combined with my interpretation. Some of the analysis is not theirs, in other words. Don’t take this as me putting words in their mouths, but rather me trying to parse and interpret for my and your benefit. ]
[ STUDY: The report is the result of a survey of 605 IT and InfoSec practitioners in the United States who are in some way tied to the information security function. ]
- 57% of people say it’s the lack of visibility at the application layer that’s preventing “a strong application security”. (methinks that’s a typo)
- 63% think app layer attacks are harder to detect than network layer attacks
- 67% think they’re harder to contain than network attacks
- Other listed reasons are the move to the cloud, and the lack of strong appsec people on their teams
- The frequency and severity of attacks on the application layer is considered greater than at the network layer
- Network security is better funded than application security. Roughly 18% of security budgets go to appsec
- Fifty-six percent of respondents believe accountability for application security is shifting from IT to the end user or application owner
- Respondents estimate that on average their organizations have 1,175 applications and an average of 33 percent are considered mission critical
- Sixty-six percent of respondents are only somewhat confident (23 percent) or have no confidence (43 percent) they know all the applications in their organizations
- 68 percent of respondents (34 percent + 34 percent) say their IT function does not have visibility into all the applications deployed in their organizations
- 37 percent of business applications are in the cloud and this will increase to an average of 46 percent
- Sixty-nine percent of respondents believe the shortage of skilled and qualified application developers puts their applications at risk
- Seventy-four percent of respondents say in application development they are only somewhat confident (27 percent) or have no confidence (47 percent) that such practices as input/output validation, defensive programming and appropriate compiler/linker security options are conducted
- Thirty-five percent of respondents say their organizations have adopted devops or continuous integration practices into the application development lifecycle
- Thirty percent of respondents say their organizations use WAFs to secure applications
- Thirty-nine percent of respondents say their organization uses micro-segmentation to enhance the security posture of their applications and 37 percent use Linux or Windows containers
- Sixty percent of respondents anticipate the applications developer will assume more responsibility for the security of applications
- Fifty percent of respondents say secure coding practices, such as penetration testing, slow down the application delivery cycle within their organizations significantly (12 percent of respondents) or some slowdown (38 percent of respondents). However, 44 percent of respondents say there is no slowdown
Here’s my breakdown.
- Application security attacks are harder to detect
- AppSec is WAY under-funded compared to NetSec
- Apps are the most attacked, but people still don’t even know where all their apps are and/or have them under management
- Developers still aren’t incentivized to make secure coding a priority
- Security is still adding enough slowdown to development that it’s probably a contributing factor to development teams ignoring it when they can
In short, it’s what many of us in AppSec expected: We need to reduce the friction of adding security to the lifecycle, we need to know where our apps are, and we need to spend more of our security budget on apps vs. network.
- While this capture can be helpful, I suggest reading the whole report for full context.