When it comes to security, a large number of organisations have a glaring hole in their defenses: their applications.
A recent study of more than 800 IT security and development professionals reports that most organisations don't prioritize application security as a discipline, despite the fact that SQL injection attacks are the highest root cause of data breaches. The second-highest root cause is exploited vulnerable code in Web 2.0/social media applications.
Sixty-eight percent of developers' organizations and 47 percent of security practitioners' organizations suffered one or more data breaches in the past 24 months due to hacked or compromised applications. A further 19 percent of security practitioners and 16 percent of developers were uncertain if their organization had suffered a data breach due to a compromised or hacked application. Additionally, only 12 percent of security practitioners and 11 percent of developers say all their organizations' applications meet regulations for privacy, data protection and information security.
Despite the data breaches resulting from hacked or compromised applications and the lack of compliance with regulations, 38 percent of security practitioners and 39 percent of developers say less than 10 percent of the IT security budget is dedicated to application security.
"We set out to measure the tolerance to risk across the established phases of application security, and define what works and what hasn't worked, how industries are organizing themselves and what gaps exist," says Dr. Larry Ponemon, CEO of the Ponemon Institute, the research firm that conducted the study on the behalf of security firm Security Innovation. "We accomplished that, but what we also found was a drastic divide between the IT security and development organizations that is caused by a major skills shortage and a fundamental misunderstanding of how an application security process should be developed. This lack of alignment seems to hurt their business based on not prioritizing secure software, but also not understanding what to do about it."
The study found that security practitioners and developers were far apart in their perception of the issue. While one might expect that security practitioners held the more cynical views with regard to application security, in fact the opposite was true. Dr. Ponemon says 71 percent of developers say application security was not adequately emphasized during the application development lifecycle, compared with 49 percent of security practitioners who felt the same way. Additionally, 46 percent of developers say their organization had no process for ensuring security is built into new applications, while only 21 percent of security practitioners believed that to be the case.
Developers and security practitioners are also divided on the issue of remediating vulnerable code. Nearly half (47 percent) of developers say their organization have no formal mandate to remediate vulnerable code, while 29 percent of security practitioners say the same.
"What emerged in this study was that companies don't seem to be looking at the root causes of data breaches, and they aren't moving very fast to bridge the existing gaps to fix the myriad of problems," says Ed Adams, CEO of Security Innovation. "The threat landscape has grown substantially in scope, most notably as our survey respondents stated that Web 2.0 and mobile attacks are the targets of the next wave of threats beyond just web applications."
The survey also found that nearly half of developers say there is no collaboration between their development organization and the security organization when it comes to application security. That's a stark contrast from the 19 percent of security practitioners that say there is no collaboration.
Lack of Collaboration in Application Security
"We basically found that developers were much more likely to think there was a lack of collaboration," Dr. Ponemon says. "The security folks, on the whole, thought the collaboration was OK. I think that one of the biggest problems is that the security folks think they're getting the word out on collaborating or helping, but they're not doing so effectively."
In other words, Dr. Ponemon says, the security organization writes its security policy and gives it to developers, but the developers, by and large, don't understand how to implement that policy. The security organizations think they've done their job, but they haven't managed to make their policy contextual for developers.
"We find that process has no bearing whatsoever on the ability of an organization to write secure code," Dr. Ponemon says. "It doesn't take any longer to write a line of secure code than it does to write a line of insecure code. You just have to know which one to write."
Education Is Key to Application Security
But knowing which line of code to write seems to be a large part of the problem. The study found that only 22 percent of security practitioners and 11 percent of developers say their organization has a fully deployed application security training program. Fully 36 percent of security practitioners and 37 percent of developers say their organization had no application security training program and no plans to deploy one.
Adams believes providing that education will go a long way toward helping organizations secure their applications and minimize the risk.
"This is more of an education problem than anything else," Adams says. "In the late 90s, everybody was putting their applications on the web. But they kept on crashing. It was really a performance problem: The developers didn't know how to code for performance. Amazingly, that's what's happening in the world today. Organizations are buying application security tools before they get application security training. You have to get trained on the technique first."
Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.
Read more about applications in CIO's Applications Drilldown.