The 2014 Application Security Programs and Practices survey queried 488 IT and security professionals about the current and future state of application security in their organizations.
"One thing that stands out this year is the increase in number of organizations with a formal application security program in place. Approximately 83% of respondents (up from 66%) have an Appsec program in place, and more than 37% (up from 33%) have a program that has been operating for more than five years," says SANS Analyst Frank Kim. "This indicates that a lot of progress is being made, but it also highlights that there is much more to do."
In the survey, more than 35% of respondents test the security of their business-critical applications on an ongoing basis, up from 23% in last year's survey. And, encouragingly, only a small percentage (fewer than 3%) of respondents left application security to chance and did not test at all.
The survey found that a lack of qualified staff and lack of skills are seen as the major inhibitors to instituting Appsec programs.
"This year's survey provides valuable and surprising insights into the challenges that organizations face today in implementing a successful Appsec program," says SANS Analyst Jim Bird. "It's not only funding and getting management buy-in—there are other, more fundamental problems, including a shortage of skills, that are preventing people from taking care of security where it makes the most difference, upfront in design and development."