Application developers continue to view security as an afterthought but security professionals recognize that applications represent the enterprise’s largest attack surface, ranging from mobile phones to iPads, tablets, and online banking tools.
- Application vulnerabilities were identified as the number one security threat – 69 percent of professionals identified it as a high concern
- Software is most critical component to secure infrastructure – Above commercial software (61 percent) and hardware (53 percent) solutions, respondents identified secure software development as the highest rated tool necessary to secure an organization’s infrastructure
- The bigger the organization, the bigger the problem – Concerns around software security increase with company size, perhaps correlated with the greater amounts of software development in large companies, versus smaller companies that rely heavily on commercial applications
- Security’s soft underbelly – Insecure software was a contributor in approximately one-third of attributable security breaches.
- Disconnect – Only 21 percent of information security professionals are involved in software development, 20 percent in procurement, and 10 percent in outsourcing. Most respondents (75 percent) become involved during the specification requirements phase of development.
- Lack of staff – Around half of employers see their security team as understaffed.
- Application vulnerabilities are the number one security concern for 72 percent of C-level executives.
- Almost half of security organizations are NOT involved in software development.
- Insecure software was a contributor in approximately one third of the 60 percent of detected security breaches in 2011.
- Application security, malware, and mobile threats top the list of external concerns.
While attackers and researchers continue to expose new application vulnerabilities, the most common application flaws are previous, rediscovered threats. For example, SQL injection and cross-site scripting (XSS) have appeared on the Open Web Application Security Project (OWASP) Top 10 list year after year over the past decade.
This high volume of known application vulnerabilities suggests that many development teams do not have the security resources needed to address all potential security flaws and that there is a clear shortage of qualified professionals with application security skills.