Monday, September 23, 2013

How To Reduce Application Security Risk?

Survey shows serious misalignment between IT Executives & Engineers

Ponemon Institute independently surveyed 642 IT professionals in both executive and engineering positions. The majority of the respondents were at a supervisory level or higher. Over half of the respondents are employed by organizations of more than 5,000 employees.

Based on the responses, the primary finding is that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.

This is a serious and potentially dangerous misalignment. Another troubling conclusion is that most organizations are only taking minimal steps to address application security throughout their development process.

The most effective way to reduce application security risk is to implement a formal, repeatable development process that includes secure coding standards to enable the early detection and remediation of vulnerabilities.

Mature organizations tend to have highly effective application security programs that include the three pillars of a secure SDLC:

  • Application Security Standards
  • Regular Security Assessments for measurement
  • Training for each role in the SDLC

The mature organizations share common characteristics by:

  • Writing and adopting security architecture and development standards.
  • Training their development teams on application security topics based on role, platform, and technology used.
  • Conducting regular assessments on their applications and processes to make sure the implementation of standards is effective.
  • Ensuring that their executives, technicians and staff understand the importance of application security as part of the organizations’ overall risk management strategy and collaborate on ensuring the practices described above are in place.

No comments: