SlideShare a Scribd company logo

How to Make Application Security a Strategically Managed Discipline

IBM Security
IBM Security

View on-demand webcast: https://securityintelligence.com/events/ponemonapplicationsecurityriskmanagement/ The mere term “application security risk management” prompts a cold chill to go down the backs of many IT Security professionals. That’s because most organizations realize that they can manage risk more effectively, but they often lack the skill-sets, budgets and/or executive buy-in to pursue a proactive risk management approach. In this presentation, Larry Ponemon of the Ponemon Institute and Neil Jones from IBM present findings of a brand-new independent study, which separates the current reality of organizations’ application security risk management activities from “urban legends” often associated with the topic. We focus on the following topics: - Rapidly-evolving application threat landscape - Management support and funding for Application Security initiatives - Stark reality of Application Security risk management for today’s organizations - Internal roadblocks to Application Security excellence - Positive signs for the future

Technology
1 of 34
Download to read offline
Sponsored by IBM Security Dr. Larry Ponemon & Mr. Neil K. Jones March 2016 How to Make Application Security a Strategically Managed Discipline
The sampling frame is composed of 16,373 individuals in the United States who are involved in application security in their organizations. March 2016 Ponemon Institute: Private and Confidential 1 Sample response Freq Pct% Sampling frame 16,373 100.0% Total returns 716 4.4% Post-screened and rejected surveys 86 0.5% Final sample 630 3.8%
What’s wrong with application security risk management? Strongly agree and agree responses March 2016 Ponemon Institute: Private and Confidential 2 67% 65% 0% 10% 20% 30% 40% 50% 60% 70% 80% No visibility into the overall state of application security Application security is fragmented and carried out at a low level
3 Executive support of application security initiatives March 2016 Ponemon Institute: Private and Confidential
Perceptions about application security risk management Strongly agree and agree responses combined March 2016 Ponemon Institute: Private and Confidential 4 38% 56% 69% 0% 10% 20% 30% 40% 50% 60% 70% 80% More control over applications developed in-house versus off-the-shelf software Application security is harder to achieve than other areas of security My organization does not know all applications or databases that are currently active
What best describes your organization’s application security risk management process? March 2016 Ponemon Institute: Private and Confidential 5 9% 9% 15% 18% 21% 28% 0% 5% 10% 15% 20% 25% 30% Informal process that is customized by application criticality Ad hoc process Formal process that is applied consistently across the enterprise Informal process that is applied consistently across the enterprise Formal process that is customized by application criticality No process
Who owns your organization’s application security risk management process? March 2016 Ponemon Institute: Private and Confidential 6 2% 6% 9% 15% 20% 24% 24% 0% 5% 10% 15% 20% 25% 30% Other Head of quality assurance CISO or CSO Head of software development No one person or department CIO or CTO Business units (LOB)
What challenges keep your organization’s application security posture from being fully effective? Three responses permitted March 2016 Ponemon Institute: Private and Confidential 7 18% 19% 27% 30% 44% 46% 56% 60% 0% 10% 20% 30% 40% 50% 60% 70% Lack of effective testing tools Not considered an organizational priority Lack of clear leadership Insufficient budget (money) Lack of in-house expertise Growth in application security vulnerabilities Pressure to release new applications Management underestimates risk
8 Evolving application security threat landscape March 2016 Ponemon Institute: Private and Confidential
What are your organization’s top application security risk management objectives? Top three responses March 2016 Ponemon Institute: Private and Confidential 9 3% 11% 21% 23% 48% 62% 63% 69% 0% 10% 20% 30% 40% 50% 60% 70% 80% Other Secure critical infrastructure Preserve brand and reputation Prevent attacks Protect intellectual property (e.g., trade secrets, source code, etc.) Comply with regulations and legal mandates Minimize business disruption Minimize downtime
Where do security compromises most likely occur? 100 points allocated based on the level of risk presented by each layer March 2016 Ponemon Institute: Private and Confidential 10 32 25 17 12 9 5 - 5 10 15 20 25 30 35 Applications Network Human negligence Data Physical Operating systems
How significant are SQL Injection and cross-site scripting threats? 7+ on a scale of 1 = no threat to 10 = significant threat March 2016 Ponemon Institute: Private and Confidential 11 47% 45% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Cross-Site Scripting threat SQL Injection threat
How effective is your organization in stopping or curtailing security compromises or exploits in software applications? 1 = not effective to 10 = very effective, extrapolated value = 4.7 March 2016 Ponemon Institute: Private and Confidential 12 20% 31% 24% 17% 8% 0% 5% 10% 15% 20% 25% 30% 35% 1 or 2 3 or 4 5 or 6 7 or 8 9 or 10
13 Reality of application security risk management for today’s organization March 2016 Ponemon Institute: Private and Confidential
What are the essential and most important control activities to establish a strong application security posture? Essential and Very important response combined March 2016 Ponemon Institute: Private and Confidential 14 75% 72% 76% 54% 53% 0% 10% 20% 30% 40% 50% 60% 70% 80% Obtain visibility into the state of application security across the enterprise Set priorities for testing and remediation that align with business risks and strategies Allocate resources to help prevent the most likely and most harmful data breaches Measure progress toward application security goals Continuously monitor the organization’s overall risk posture
What steps does your organization take to manage application security risk? Fully and partially implemented March 2016 Ponemon Institute: Private and Confidential 15 36% 44% 49% 37% 25% 0% 10% 20% 30% 40% 50% 60% Create an inventory of application assets and assess their business impact Test the application for vulnerabilities Determine the risks and prioritize vulnerabilities Remediate the risks Measure progress and demonstrate compliance
Is application security risk within your organization increasing, decreasing or staying the same? March 2016 Ponemon Institute: Private and Confidential 16 27% 20% 40% 11% 2% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Significantly increasing Increasing Staying the same Decreasing Significantly decreasing
What best describes the maturity level of your organization’s application security risk management program March 2016 Ponemon Institute: Private and Confidential 17 20% 25% 30% 14% 11% 0% 5% 10% 15% 20% 25% 30% 35% We have not launched a security risk management program Early stage – most program activities have not been planned or deployed Middle stage – program activities are planned and defined, but only partially deployed Late-middle stage – many program activities are deployed across the enterprise Mature stage – program mission is fully accomplished
What methods does your organization deploy to test applications for vulnerabilities? More than one response permitted March 2016 Ponemon Institute: Private and Confidential 18 35% 5% 18% 23% 36% 39% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% None of the above Other Interactive security testing Mobile application security testing Dynamic application security testing Static application security testing
What best describes your organizations’ application testing cycle? March 2016 Ponemon Institute: Private and Confidential 19 35% 20% 5% 8% 7% 9% 8% 2% 6% 0% 5% 10% 15% 20% 25% 30% 35% 40% No planned cycle Only after new code is added More than yearly Yearly Quarterly Monthly Weekly Daily Continuously
What steps are taken to test for vulnerabilities in applications? March 2016 Ponemon Institute: Private and Confidential 20 4% 14% 21% 25% 29% 33% 46% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Other Testing is conducted throughout the application development life cycle Testing method scales efficiently from a few to many applications Ensuring tests accurately identify actual defects and eliminate false positives Covering the most current application technologies Handling mobile application vulnerabilities None of these steps taken
What steps does your organization take to remediate the risks associated with vulnerable applications? March 2016 Ponemon Institute: Private and Confidential 21 48% 3% 20% 24% 29% 36% 0% 10% 20% 30% 40% 50% 60% None of the above Other Require best practices for secure authentication in application specifications so that issues are visible to developers and QA engineers Create test plans and test scripts to detect authentication defects early in the development cycle Provide code libraries or templates that address key issues Ensure developers receive training on how to secure the coding process
22 Internal barriers to application security excellence March 2016 Ponemon Institute: Private and Confidential
Perceptions about application developers & application security risk Strongly agree and agree responses combined March 2016 Ponemon Institute: Private and Confidential 23 35% 50% 70% 73% 0% 10% 20% 30% 40% 50% 60% 70% 80% Addressing critical vulnerabilities is most effective in the early stage of the application development life cycle Developers view security as a hindrance to releasing new applications My organization does not allocate enough resources to ensure business-critical apps are secure Developers lack the knowledge or skill to address critical vulnerabilities in the application development life cycle
What are the most important application security risks to assess? 1 = most important to 5 = least important March 2016 Ponemon Institute: Private and Confidential 24 4.55 3.87 3.05 1.92 1.61 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 Infrastructure complexity Maturity (e.g., length of time in production) Platform (e.g., web/client-server/desktop mobile) Functional complexity Business use of the application (e.g., customer facing, partner facing or internal)
How likely would your organization cease or discontinue the renewal of an agreement with an outsourced developer that is unable to demonstrate sufficient security practices? March 2016 Ponemon Institute: Private and Confidential 25 16% 34% 28% 22% 0% 5% 10% 15% 20% 25% 30% 35% 40% Very likely Likely Unlikely Never
26 Don’t give up the ship March 2016 Ponemon Institute: Private and Confidential
What attributes are most important in assessing the impact of risk to the organization? 1 = most important to 5 = least important March 2016 Ponemon Institute: Private and Confidential 27 4.46 3.86 2.96 2.18 1.52 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 Potential damage to the organization’s reputation Legal and contractual obligations Compliance requirements Use/processing of high value intellectual property Use/processing of personally identifiable information (PII)
Budget for application security today and 12 months from now? Extrapolated values for today = 18 percent; Extrapolated values in 12 months = 23 percent March 2016 Ponemon Institute: Private and Confidential 28 9% 15% 19% 27% 18% 11% 1% 0% 6% 18% 29% 22% 24% 1% 0% 5% 10% 15% 20% 25% 30% 35% < 5% 5 to 10% 11 to 15% 16 to 20% 21 to 25% 26 to 50% More than 50% Spending on application security activities today Spending on application security activities 12 months from now
29 Conclusion and recommendations March 2016 Ponemon Institute: Private and Confidential
Recommendations to enhance the security risk management process • Obtain visibility into the state of application security across the enterprise by creating an inventory of application assets and assessing their business impact. • Set priorities for testing and remediation that will align with business risks and strategies. Create an application profile template that can be used to capture critical attributes of every application in the enterprise, including the application, development team and business unit responsible for maintaining it. • Allocate resources to help prevent the most likely and most harmful data breaches. Specifically, those applications that use and/or process personally identifiable information and high value intellectual property should be a priority for risk assessment, testing and remediation. • Measure progress toward application security goals. Progress means improving the overall risk posture of the organization and allocating resources where they will have the greatest impact in reducing business risk. • Continuously monitor the organization’s overall risk posture and determine where additional investments in security could reduce further risk. • Effectively engage the application development and risk management teams in the organization’s application security initiatives so that it is not just an IT project. Initiate this collaboration as early in the development process as possible and provide routine updates to executive management. • Educate developers, users and executives about the most significant threats through the review of threat data released by organizations like OWASP and others. March 2016 Ponemon Institute: Private and Confidential 30
To Learn More SecurityIntelligence.com Blog Access the Free Report Now March 2016 Ponemon Institute: Private and Confidential 31
Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. • Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. • Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals in the United States who are involved in application security in their organizations. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings. • Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. March 2016 Ponemon Institute: Private and Confidential 32
Page 33 Questions? Ponemon Institute Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA research@ponemon.org Ponemon Institute: Private and Confidential

Recommended

Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!PECB
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 

Recommended

Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!PECB
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA IBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityIBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident ResponseIBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...IBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsIBM Security
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017IBM Security
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

More Related Content

More from IBM Security

Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityIBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident ResponseIBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...IBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsIBM Security
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017IBM Security
 

More from IBM Security (20)

Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

How to Make Application Security a Strategically Managed Discipline

  • 1. Sponsored by IBM Security Dr. Larry Ponemon & Mr. Neil K. Jones March 2016 How to Make Application Security a Strategically Managed Discipline
  • 2. The sampling frame is composed of 16,373 individuals in the United States who are involved in application security in their organizations. March 2016 Ponemon Institute: Private and Confidential 1 Sample response Freq Pct% Sampling frame 16,373 100.0% Total returns 716 4.4% Post-screened and rejected surveys 86 0.5% Final sample 630 3.8%
  • 3. What’s wrong with application security risk management? Strongly agree and agree responses March 2016 Ponemon Institute: Private and Confidential 2 67% 65% 0% 10% 20% 30% 40% 50% 60% 70% 80% No visibility into the overall state of application security Application security is fragmented and carried out at a low level
  • 4. 3 Executive support of application security initiatives March 2016 Ponemon Institute: Private and Confidential
  • 5. Perceptions about application security risk management Strongly agree and agree responses combined March 2016 Ponemon Institute: Private and Confidential 4 38% 56% 69% 0% 10% 20% 30% 40% 50% 60% 70% 80% More control over applications developed in-house versus off-the-shelf software Application security is harder to achieve than other areas of security My organization does not know all applications or databases that are currently active
  • 6. What best describes your organization’s application security risk management process? March 2016 Ponemon Institute: Private and Confidential 5 9% 9% 15% 18% 21% 28% 0% 5% 10% 15% 20% 25% 30% Informal process that is customized by application criticality Ad hoc process Formal process that is applied consistently across the enterprise Informal process that is applied consistently across the enterprise Formal process that is customized by application criticality No process
  • 7. Who owns your organization’s application security risk management process? March 2016 Ponemon Institute: Private and Confidential 6 2% 6% 9% 15% 20% 24% 24% 0% 5% 10% 15% 20% 25% 30% Other Head of quality assurance CISO or CSO Head of software development No one person or department CIO or CTO Business units (LOB)
  • 8. What challenges keep your organization’s application security posture from being fully effective? Three responses permitted March 2016 Ponemon Institute: Private and Confidential 7 18% 19% 27% 30% 44% 46% 56% 60% 0% 10% 20% 30% 40% 50% 60% 70% Lack of effective testing tools Not considered an organizational priority Lack of clear leadership Insufficient budget (money) Lack of in-house expertise Growth in application security vulnerabilities Pressure to release new applications Management underestimates risk
  • 9. 8 Evolving application security threat landscape March 2016 Ponemon Institute: Private and Confidential
  • 10. What are your organization’s top application security risk management objectives? Top three responses March 2016 Ponemon Institute: Private and Confidential 9 3% 11% 21% 23% 48% 62% 63% 69% 0% 10% 20% 30% 40% 50% 60% 70% 80% Other Secure critical infrastructure Preserve brand and reputation Prevent attacks Protect intellectual property (e.g., trade secrets, source code, etc.) Comply with regulations and legal mandates Minimize business disruption Minimize downtime
  • 11. Where do security compromises most likely occur? 100 points allocated based on the level of risk presented by each layer March 2016 Ponemon Institute: Private and Confidential 10 32 25 17 12 9 5 - 5 10 15 20 25 30 35 Applications Network Human negligence Data Physical Operating systems
  • 12. How significant are SQL Injection and cross-site scripting threats? 7+ on a scale of 1 = no threat to 10 = significant threat March 2016 Ponemon Institute: Private and Confidential 11 47% 45% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Cross-Site Scripting threat SQL Injection threat
  • 13. How effective is your organization in stopping or curtailing security compromises or exploits in software applications? 1 = not effective to 10 = very effective, extrapolated value = 4.7 March 2016 Ponemon Institute: Private and Confidential 12 20% 31% 24% 17% 8% 0% 5% 10% 15% 20% 25% 30% 35% 1 or 2 3 or 4 5 or 6 7 or 8 9 or 10
  • 14. 13 Reality of application security risk management for today’s organization March 2016 Ponemon Institute: Private and Confidential
  • 15. What are the essential and most important control activities to establish a strong application security posture? Essential and Very important response combined March 2016 Ponemon Institute: Private and Confidential 14 75% 72% 76% 54% 53% 0% 10% 20% 30% 40% 50% 60% 70% 80% Obtain visibility into the state of application security across the enterprise Set priorities for testing and remediation that align with business risks and strategies Allocate resources to help prevent the most likely and most harmful data breaches Measure progress toward application security goals Continuously monitor the organization’s overall risk posture
  • 16. What steps does your organization take to manage application security risk? Fully and partially implemented March 2016 Ponemon Institute: Private and Confidential 15 36% 44% 49% 37% 25% 0% 10% 20% 30% 40% 50% 60% Create an inventory of application assets and assess their business impact Test the application for vulnerabilities Determine the risks and prioritize vulnerabilities Remediate the risks Measure progress and demonstrate compliance
  • 17. Is application security risk within your organization increasing, decreasing or staying the same? March 2016 Ponemon Institute: Private and Confidential 16 27% 20% 40% 11% 2% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Significantly increasing Increasing Staying the same Decreasing Significantly decreasing
  • 18. What best describes the maturity level of your organization’s application security risk management program March 2016 Ponemon Institute: Private and Confidential 17 20% 25% 30% 14% 11% 0% 5% 10% 15% 20% 25% 30% 35% We have not launched a security risk management program Early stage – most program activities have not been planned or deployed Middle stage – program activities are planned and defined, but only partially deployed Late-middle stage – many program activities are deployed across the enterprise Mature stage – program mission is fully accomplished
  • 19. What methods does your organization deploy to test applications for vulnerabilities? More than one response permitted March 2016 Ponemon Institute: Private and Confidential 18 35% 5% 18% 23% 36% 39% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% None of the above Other Interactive security testing Mobile application security testing Dynamic application security testing Static application security testing
  • 20. What best describes your organizations’ application testing cycle? March 2016 Ponemon Institute: Private and Confidential 19 35% 20% 5% 8% 7% 9% 8% 2% 6% 0% 5% 10% 15% 20% 25% 30% 35% 40% No planned cycle Only after new code is added More than yearly Yearly Quarterly Monthly Weekly Daily Continuously
  • 21. What steps are taken to test for vulnerabilities in applications? March 2016 Ponemon Institute: Private and Confidential 20 4% 14% 21% 25% 29% 33% 46% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Other Testing is conducted throughout the application development life cycle Testing method scales efficiently from a few to many applications Ensuring tests accurately identify actual defects and eliminate false positives Covering the most current application technologies Handling mobile application vulnerabilities None of these steps taken
  • 22. What steps does your organization take to remediate the risks associated with vulnerable applications? March 2016 Ponemon Institute: Private and Confidential 21 48% 3% 20% 24% 29% 36% 0% 10% 20% 30% 40% 50% 60% None of the above Other Require best practices for secure authentication in application specifications so that issues are visible to developers and QA engineers Create test plans and test scripts to detect authentication defects early in the development cycle Provide code libraries or templates that address key issues Ensure developers receive training on how to secure the coding process
  • 23. 22 Internal barriers to application security excellence March 2016 Ponemon Institute: Private and Confidential
  • 24. Perceptions about application developers & application security risk Strongly agree and agree responses combined March 2016 Ponemon Institute: Private and Confidential 23 35% 50% 70% 73% 0% 10% 20% 30% 40% 50% 60% 70% 80% Addressing critical vulnerabilities is most effective in the early stage of the application development life cycle Developers view security as a hindrance to releasing new applications My organization does not allocate enough resources to ensure business-critical apps are secure Developers lack the knowledge or skill to address critical vulnerabilities in the application development life cycle
  • 25. What are the most important application security risks to assess? 1 = most important to 5 = least important March 2016 Ponemon Institute: Private and Confidential 24 4.55 3.87 3.05 1.92 1.61 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 Infrastructure complexity Maturity (e.g., length of time in production) Platform (e.g., web/client-server/desktop mobile) Functional complexity Business use of the application (e.g., customer facing, partner facing or internal)
  • 26. How likely would your organization cease or discontinue the renewal of an agreement with an outsourced developer that is unable to demonstrate sufficient security practices? March 2016 Ponemon Institute: Private and Confidential 25 16% 34% 28% 22% 0% 5% 10% 15% 20% 25% 30% 35% 40% Very likely Likely Unlikely Never
  • 27. 26 Don’t give up the ship March 2016 Ponemon Institute: Private and Confidential
  • 28. What attributes are most important in assessing the impact of risk to the organization? 1 = most important to 5 = least important March 2016 Ponemon Institute: Private and Confidential 27 4.46 3.86 2.96 2.18 1.52 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 Potential damage to the organization’s reputation Legal and contractual obligations Compliance requirements Use/processing of high value intellectual property Use/processing of personally identifiable information (PII)
  • 29. Budget for application security today and 12 months from now? Extrapolated values for today = 18 percent; Extrapolated values in 12 months = 23 percent March 2016 Ponemon Institute: Private and Confidential 28 9% 15% 19% 27% 18% 11% 1% 0% 6% 18% 29% 22% 24% 1% 0% 5% 10% 15% 20% 25% 30% 35% < 5% 5 to 10% 11 to 15% 16 to 20% 21 to 25% 26 to 50% More than 50% Spending on application security activities today Spending on application security activities 12 months from now
  • 30. 29 Conclusion and recommendations March 2016 Ponemon Institute: Private and Confidential
  • 31. Recommendations to enhance the security risk management process • Obtain visibility into the state of application security across the enterprise by creating an inventory of application assets and assessing their business impact. • Set priorities for testing and remediation that will align with business risks and strategies. Create an application profile template that can be used to capture critical attributes of every application in the enterprise, including the application, development team and business unit responsible for maintaining it. • Allocate resources to help prevent the most likely and most harmful data breaches. Specifically, those applications that use and/or process personally identifiable information and high value intellectual property should be a priority for risk assessment, testing and remediation. • Measure progress toward application security goals. Progress means improving the overall risk posture of the organization and allocating resources where they will have the greatest impact in reducing business risk. • Continuously monitor the organization’s overall risk posture and determine where additional investments in security could reduce further risk. • Effectively engage the application development and risk management teams in the organization’s application security initiatives so that it is not just an IT project. Initiate this collaboration as early in the development process as possible and provide routine updates to executive management. • Educate developers, users and executives about the most significant threats through the review of threat data released by organizations like OWASP and others. March 2016 Ponemon Institute: Private and Confidential 30
  • 32. To Learn More SecurityIntelligence.com Blog Access the Free Report Now March 2016 Ponemon Institute: Private and Confidential 31
  • 33. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. • Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. • Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals in the United States who are involved in application security in their organizations. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings. • Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. March 2016 Ponemon Institute: Private and Confidential 32
  • 34. Page 33 Questions? Ponemon Institute Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA research@ponemon.org Ponemon Institute: Private and Confidential