Managing Application Security in Large Organizations: Insights and Best Practices
Discover insights and best practices on how large organizations manage application security, including key research findings, business pressures, drivers for application security, and the importance of a systematic approach to managing security risks. The survey conducted by Security Compass reveals that a majority of respondents prioritize application security as a high or critical priority within their organizations.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
MANAGING APPLICATION SECURITY 2017 Application Security Survey by Security Compass Altaz Valani Director of Research T: @altazvalani LI: linkedin.com/in/altazvalani APRIL 27, 2017 PRESENTED AT:
PERSONAL BIO Director of Research at Security Compass (www.securitycompass.com) responsible for managing the overall research vision and team. Previously: Senior Research Director, Application Development at Info-Tech Research Group Senior Manager, KPMG Started a software development company Interests: Secure software development Teaching and learning Research and collaboration MANAGING APPLICATION SECURITY PAGE 2
ABOUT THE SURVEY PURPOSE SURVEY DEMOGRAPHIC (BY ANNUAL EARNINGS) To discover how large, complex organizations manage application security: the drivers, programs, and successes. WHO Most respondents were large multinational companies earning >$1 billion USD. THE RESULT Aggregated insights, industry trends, and best practices that illuminate how large corporations manage application security. Security Compass (n=28) MANAGING APPLICATION SECURITY PAGE 3
BUSINESS PRESSURE IS NOT GOING AWAY INCREASING SPEED OF BUSINESS INCREASING SOPHISTICATION OF RISK MANAGEMENT INCREASING PRESSURE ON COST CONTROL MANAGING APPLICATION SECURITY PAGE 5
WHAT IS DRIVING APPLICATION SECURITY? 79% of respondents stated that general risk management was the key driver for their organization's application security. Security Compass (n=28) MANAGING APPLICATION SECURITY PAGE 6
CONCLUSION: WE NEED A SYSTEMATIC WAY OF MANAGING APPLICATION SECURITY RISK VALIDATE CONTROL IDENTIFY CONTROL IMPLEMENT CONTROL 79% of respondents stated that general risk management was the key driver for their organization's application security. RISK SOFTWARE PROJECT PROGRESS MANAGING APPLICATION SECURITY PAGE 7
HOW IMPORTANT IS APPLICATION SECURITY? 73% of respondents stated that application security is a high or critical priority within their organization. Security Compass (n=26) MANAGING APPLICATION SECURITY PAGE 8
ORGANIZATIONAL SUPPORT FOR APPLICATION SECURITY (BY INDUSTRY) 1 = NO SUPPORT 5 = SUPPORT ACROSS THE BOARD Security Compass (n=21) MANAGING APPLICATION SECURITY PAGE 9
ADOPTION OF SECURITY AWARENESS TRAINING BY DEVELOPERS There is resistance to adoption of security awareness training. Many see this as extra work, getting in the way of releasing software. 1 = NO TRAINING 5 = ALL DEVELOPERS ARE TRAINED Security Compass (n=22) MANAGING APPLICATION SECURITY PAGE 10
TRACKING THE EFFECTIVENESS OF AN APPLICATION SECURITY PROGRAM 75% of respondents stated that the number of vulnerabilities found was a key metric used to track the effectiveness of their application security program. ONLY 4% of respondents stated that they used the amount of money spent on remediating vulnerabilities as a key metric to track the effectiveness of their application security program. Security Compass (n=28) MANAGING APPLICATION SECURITY PAGE 11
KEY SECURITY ACTIVITIES PERFORMED Shift-Left Activities Testing Activities Security Compass (n=28) MANAGING APPLICATION SECURITY PAGE 12
46% OF APPLICATION-LEVEL RISKS ARE NOT COVERED BY SAST & DAST TOOLS Source Code 30% of total risks found & fixed average time to remediation = 316 days* 54% of risks found* SAST & DAST 54% remediation rate* Remediation 24% of risks found, not fixed 46% of risks are not found 70% of risks unaddressed *Adapted from: National Institute of Standards and Technology. Report on the Static Analysis Tool Exposition IV . Gartner for Technical Professionals. Application Security Think Big and Start with What Matters . Veracode. State of Software Security , 2016. WhiteHat Security. Web Applications Security Statistics Report . MANAGING APPLICATION SECURITY PAGE 13
46% OF APPLICATION-LEVEL RISKS ARE NOT COVERED BY SAST & DAST TOOLS Source Code 30% of total risks found & fixed average time to remediation = 316 days* 54% of risks found* SAST & DAST 54% remediation rate* Remediation 24% of risks found, not fixed 46% of risks are not found Forthcoming SC whitepaper Intent Pointer Reference Manipulation Compiler Optimization Application Boundary Scanner Optimization Side Effects Runtime Class Creation Halting Problem CERT Non-Automation 70% of risks unaddressed *Adapted from: National Institute of Standards and Technology. Report on the Static Analysis Tool Exposition IV . Gartner for Technical Professionals. Application Security Think Big and Start with What Matters . Veracode. State of Software Security , 2016. WhiteHat Security. Web Applications Security Statistics Report . MANAGING APPLICATION SECURITY PAGE 14
KEY SECURITY ACTIVITIES PERFORMED PEN TESTING (DAST) CODE REVIEW (SAST) REQUIREMENTS S O F T WA R E D E V E L O P M E N T L I F E C Y C L E MANAGEMENT MANAGING APPLICATION SECURITY PAGE 15
TRACKING THE EFFECTIVENESS OF AN APPLICATION SECURITY PROGRAM We have jumped straight to validation without identifying the root cause and implementing the appropriate controls to reduce application security risk. VALIDATE CONTROL IDENTIFY CONTROL IMPLEMENT CONTROL RISK SOFTWARE PROJECT PROGRESS Security Compass (n=28) MANAGING APPLICATION SECURITY PAGE 16
DO YOU PRIMARILY BUILD IN-HOUSE OR BUY THIRD-PARTY SOFTWARE? BUILD IN-HOUSE (ROUGHLY) EQUAL MIX OF IN-HOUSE, COTS, AND OUTSOURCED BUY & CONFIGURE COTS (ROUGHLY) EQUAL MIX OF IN-HOUSE & COTS Security Compass (n=26) MANAGING APPLICATION SECURITY PAGE 17
ENSURING THE SECURITY OF THIRD-PARTY VENDORS MANAGING APPLICATION SECURITY PAGE 18
KEY TAKEAWAYS SOFTWARE SECURITY REQUIREMENTS MANAGEMENT TESTING INTEGRATION AND AGGREGATION THREAT MODELING REQUIREMENTS GENERATION ALM INTEGRATION Bottom line: Develop secure applications to minimize the many risks that arise from exploiting vulnerabilities MANAGING APPLICATION SECURITY PAGE 19
KEY TAKEAWAYS Adopt the correct metrics to drive your program. Strive for objective, quantified metrics that measure risk beyond vulnerabilities (e.g. How to Measure Anything in Cyber Security Risk ). Stop tracking your app sec program by the number of vulnerabilities detected by scanners alone. Use a software security requirements management platform, (e.g. SD Elements, OWASP Knowledge framework) and/or tool-assisted threat modelling (e.g. Microsoft threat modelling tool). Traceable requirements coupled with test cases are more forward looking and comprehensive. Require your vendors to have a higher standard for secure SDLC (e.g. ISO 27034 or vBSIMM or Microsoft's SDL). MANAGING APPLICATION SECURITY PAGE 20
THANK YOU FOR A COPY OF THE FULL REPORT, PLEASE VISIT: https://www.securitycompass.com/managingapplicationsecurity2017/ OR EMAIL US AT: info@securitycompass.com
