According to the SANS 2016 State of Application Security survey, sponsored by Checkmarx, application security (AppSec) is maturing for most organisations which, in a world with an ever increasing volume of applications being released to market, is good news. But why is it important? What does this maturity look like? Which industries are performing best? What are the remaining challenges and what are the recommendations for successful AppSec programmes?
The case for AppSec
When it comes to developing applications, writing the code is at the core of everything. Unfortunately, there is currently little regulation or industry standards for writing code, and because vendors are commercially driven to release applications and updates to the market as quickly as possible, developers are measured on how quickly they can code rather than on how securely they can code. Normally, developers will create and then hand over the code for someone else to test via black box testing methods such as pen testing. After the testing phase, the code is then given back to the developers so they re-code to fix any bugs or vulnerabilities found. This often puts the vendor in the tricky position of choosing whether to fix bugs that effect the user experience or vulnerabilities that could potentially result in a data breach because there simply isn't time to do both.
With AppSec programmes, we could prevent the bad code from being written in the first place by bringing security into the fold earlier in the Software Development Life Cycle (SDLC). A strong white box testing method such as Static Application Security Testing (SAST) enables developers to identify any coding errors and tackle them straight away, reducing the costs associated with late detection of vulnerabilities such as re-coding and delays to release times. Once security is at the core of the SDLC, we can secure the root application code and then we have a much better chance of preventing vulnerabilities that hackers can capitalise on.
The current maturity of AppSec
The majority of the 457 respondents who participated in this SANS survey claimed that their AppSec programmes were either mature or maturing. The largest group, 38 per cent, said their programmes were maturing, 22 per cent said they were mature, and a further 4 per cent said they very mature. Of course, that leaves a not insignificant amount of respondents with an immature or even non-existent AppSec programme. It's clear to see that this is still a developing area; we're at a critical turning point in overall enterprise security programmes but the AppSec maturity levels already accomplished certainly looks optimistic for the future of secure code and avoiding data breaches.
AppSec by industry
AppSec is receiving C-suite attention in companies that are subject to government or industry regulations which is impacting the different levels of maturity across sectors. Among the industries with the highest levels of AppSec programmes were high tech industries, financial and banking organisations and the telecoms industry each with a combined 'very mature, mature, and maturing' percentage in the 70s. It is thought that the number of applications developed within these top industries and the sensitivity of the data are two of the core reasons why those industries are leading the way and of course, it's not surprising that they are also the ones being driven by regulation.
On the other hand, it is the education sector that the report shows as lagging seriously behind in the application security stakes with immature and non-existent AppSec plans accounting for 73 per cent of respondents in that sector. The report highlights the concern that this should cause due to the number of public-facing web applications used by educational institutions for registration, purchasing textbooks, and more.
While every industry isn't regulated and AppSec certainly isn't mandatory for all industries, organisations should keep in mind two things. Firstly, hackers will hack any organisation in any industry regardless of whether it is regulated or not so all organisations are at risk. Secondly, with the EU GDPR set to come into force in less than two years, all organisations will be liable for a fine of up to 4 per cent of global annual turnover in the event of a data breach. To avoid these fines, organisations should be doing everything they can to avoid a data breach and an AppSec programme could go a long way towards proving to a national enforcement body such as the ICO in the UK, that you are taking the risks of a data breach seriously.
Public-facing web applications and legacy applications were causing the most concern for respondents with 23 per cent claiming they had been the source of a data breach, data loss or an attack on other applications. In terms of languages, Java and .Net are the predominant languages used in modern enterprise web applications and these were the ones that respondents were most concerned about although the report does caveat that this is likely due to their popularity rather than specific weaknesses.
In addition to this, the top challenges in implementing application security were identified as; the lack of AppSec skills, tools and methods (38%), lack of funding or management buy in (37 per cent) and silos between security, development and business units (33 per cent).
Success in terms of education and senior management buy-in should positively impact most of the challenges outlined in the report.
Education of developers is paramount to plugging the AppSec skills gap and encouragingly, 48 per cent of respondents to the survey point to training developers as one of the top three AppSec processes. But education shouldn't stop there. A broader education around data security should be given to all employees to help avoid a data breach.
Of course, senior management need to be educated too but this is at a higher level and largely around the financial and reputational impact of a data breach. Getting buy in from this group should be hugely helped by the impending threat of the up to 4 per cent fine by the EU GDPR. I would be surprised if within the next six to 12 months, the Boards of most organisations have not tasked their senior management teams with devising strategies to avoid data breaches. At that stage, it will be a question of the AppSec teams proving the value of developing secure code at source to those in charge of the purse strings. And for IT security teams without AppSec programmes to do the same.
Amit Ashbel, cyber security evangelist at Checkmarx