SANS Institute - 2015 State of Application Security: Closing the Gap
The gap between developers and protectors of applications is closing slightly, according to the SANS 2015 State of Application Security Survey. In this year’s survey, 435 qualified respondents answered application security questions from two different perspectives:
• Builders—Developers and development organizations—who represent 35% of qualified respondents
• Defenders—Security and operations teams responsible for securing applications and running secure systems—who account for 65% of qualified respondents
SANS and other institutions have long recognized that these two groups need to climb out of their silos and work more closely together if we’re going to build better, more reliable and more secure systems. Thankfully, this change is already occurring.
Because the industry is experiencing so many high-profile application security breaches that result in the compromise of personally identifiable information (PII), builders and their managers are becoming more aware of how important—and how hard—it is to write secure software. Today, application security experts are reaching out to builders and speaking at their conferences. As a result, builders are more aware of risks inherent in the same applications that defenders are concerned with. The most popular application development languages (including Java and .NET) are also recognized as the highest sources of security risk among both groups.
While a closer alignment bodes well for the future of applications, results also show continued gaps between the groups, such as builders putting security off on “someone else” and defenders trying to force security through compliance reviews and penetration testing rather than working with builders to design and build in security from the start.
The top three challenges for defender teams directly reflect problems that IT security professionals have in engaging with builders:
• Identifying all of the applications in the application portfolio—information that builders could easily provide
• Fear of modifying production code and potentially breaking an app
• Organizational and communications silos between security, application development and the rest of the organization
The top challenges for builders are completely different, and so are their goals and priorities:
• Need to focus on delivering features and on time to market
• Lack of skills or knowledge to build secure software
• Lack of management buy-in or funding
This paper discusses these challenges and how they are made more complicated by the rapidly accelerating pace of development and lack of control over applications hosted in the cloud.