Ponemon Institute Study: Most Organizations ‘Don’t Know What They Do Know’ When Assessing Application Security Risk
App Sprawl Fuels Need for Effective Application Security Risk Management
It’s becoming virtually impossible to escape mobile apps. As a consumer, every time you go shopping, attend a major event, post content to social media or listen to the radio, you’re encouraged to download new, customized applications from content providers. Similarly, customer demand for new or updated functionality has shortened software release cycles and led to an explosion of software-based games, fitness applications and quickly evolving versions of popular social media content.
As a result of this market reality, organizations need to rapidly introduce new applications in order to outpace competition and meet customer demand. Gartner predicted that by 2017, market demand for mobile application development services will grow at least five times faster than internal IT organizations’ capacity to deliver them.
AppSec Risk Management Evolves From ‘Nice to Have’ to Mission-Critical Requirement
In the legacy environment of longer release cycles and less frequent updates, organizations could treat application security risk management as a nice-to-have element. However, the current explosion of new applications has made application security risk management a mission-critical requirement.
Consider the following statistics:
- According to IBM X-Force Data, 28 percent of overall vulnerability disclosures in 2015 were targeted at Web applications.
- It’s been reported that at any given time, malicious code infects more than 11.6 million mobile devices. To put that figure into perspective, it’s roughly equivalent to the population of Ohio.
- A 2015 Ponemon Institute report, sponsored by IBM, found that 50 percent of companies have zero budget dedicated to mobile app security.
To spotlight this growing area of potential risk, a new study from IBM and Ponemon Institute surveyed application security professionals to determine their effectiveness at managing application security risk. The results revealed several eye-opening trends related to how organizations are approaching application security and why many approaches are falling short.
Application Expansion and Rush to Release Have Increased Security Risk
It’s no surprise that pressure to release apps quickly has been a leading cause of security missteps. Our latest survey results revealed that many organizations don’t address the problem effectively.
- 56 percent of respondents said their organizations are influenced by pressure to release new apps quickly. App developers are primarily focused on business value, user experience and addressing inconveniences that apps seek to resolve. As a result, many developers miss big-picture implications of applications beyond the apps’ core purposes, as well as potential headaches such as security vulnerabilities.
- 35 percent of respondents said their organizations do not perform any major application security testing methods prior to application deployment. Application security testing permits organizations to address potential application vulnerabilities by remediating them prior to release. The survey indicated that basic security steps like these are often neglected even though they represent a critical development life cycle requirement.
Organizations Struggle to Manage Applications Currently in Production
While the rush to release is creating a flood of new apps with questionable security protection right out of the starting gate, perhaps an even bigger concern is what happens to those apps once they’ve been deployed.
Among the most alarming findings of our study, respondents admitted that their organizations are struggling to keep tabs on apps they currently have in use, let alone secure them.
- 69 percent of respondents didn’t know all the apps and databases currently active in their organizations. Unfortunately, the 69 percent figure isn’t a misprint. Development teams are frequently unable to keep tabs on apps that have already been deployed or fully digest potential risks that have been introduced into corporate systems.
- About 48 percent of respondents said their organizations don’t actually take basic security measures to remediate vulnerabilities. How can organizations protect their applications when they don’t even engage in basic security measures such as dynamic application security testing (DAST), static application security testing (SAST) and interactive application security testing (IAST)?
We anticipate that these issues will continue to present more significant challenges as a growing number of apps are introduced and others require more frequent updates.
Break the Rush-to-Release Cycle and Secure Your Expanding App Infrastructure
While the picture painted by the recent survey results are grim, there are simple steps that organizations can take to break the rush-to-release cycle and secure their growing application empires. In a nutshell, organizations need to move from a whack-a-mole approach of fixing applications one at a time to a more strategic risk management framework.
Here are a few steps IBM recommends to get you started.
1. Get the Full Picture
- Coordinate with other divisions and geographic regions to determine which apps are actively being utilized throughout your organization. Maintain a list of the applications, update it on a regular basis and track your remediation progress.
- Determine which apps are past their support life spans and find out how you’re protecting them.
- Conduct an inventory of applications that are still active but not used or monitored. In most cases, their end of life should be determined immediately and user access should be terminated.
2. Unify Practices
According to the study, 65 percent of sampled respondents said their organizations have fragmented security practices carried out at low levels in the organization.
We recommend the following actions to better unify application security across the enterprise:
- Educate executive management about security risks associated with the expansion of application usage. Demonstrate how a potential breach of a critical application could significantly impact your organization’s brand image and its bottom line.
- Select a division within your organization that effectively manages application security and incorporate its best practices into businesswide educational programs. Spotlight areas where that division has reduced costs or significantly lowered the potential impact of vulnerabilities.
3. Staff Up
The survey found that 70 percent of respondents believed they didn’t allocate sufficient resources to ensure business-critical apps are kept secure.
- Invest in security training for your app development teams and leverage automated application security testing solutions such as IBM Security AppScan to permit developers to test applications quickly, efficiently and independently.
- Take time to assess which of your applications are truly mission-critical crown jewels. Examples of crown jewels could be privileged finance, customer relationship management (CRM) and e-commerce applications. Focus on protecting those applications first and target remediation efforts on the most significant vulnerabilities in those applications.
- Reframe executive management’s mindset by educating them on potential costs associated with security breaches. Following that approach will remind them that effective security protection is way more than a cost center.
4. Get a Handle on Vulnerabilities
In the study, 46 percent of respondents confessed that growth in security vulnerabilities prevents their security posture from being effective.
We recommend the following actions:
- Utilize application security testing technology that ties into evolving threat data, which will permit you to become more effective at remediating high-priority app vulnerabilities.
- Learn more about IBM’s Cognitive Intelligent Finding Analytics capabilities. This dramatically reduces the number of testing results that you need to manage after conducting noisy SAST analysis, which produces a high volume of vulnerability findings.
- Working in conjunction with your management team, decide which risks are too inconsequential or unlikely to have a significant impact on your business. You may wish to accept those app risks.
In summary, only when organizations assess the full scope of their application security preparedness can they begin to prioritize and reduce risks that are introduced by rapidly growing application infrastructures.
For Additional Information
Download the full report from the Ponemon Institute.
To learn more about key findings from the study, watch our on-demand webinar “How to Make an Application Security a Strategically Managed Discipline” now.