• Home

  • Documents

  • THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION...
8
THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT August 2015

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 7 THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 7 THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND

August 2015 prevoty.com

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT

August 2015

Page 2: THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 7 THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND

August 2015 prevoty.com

2THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT

The growth of enterprise-developed applications has made it easier for businesses to use technology to work more efficiently and productively. These enterprise applications interface and integrate with other applications, software platforms and databases used within a business, including some that are customer-facing. They can be deployed across a corporate network, Internet or Intranet.

Business demands for IT security continue to grow as more and more enterprises move their applications to the cloud and rely on partnerships with third-party software to extend and optimize their end-to-end operations. Not only are large organizations utilizing more cloud-based, SaaS products than ever before, but they are also creating applications that rely on API integrations, external data feeds and cloud services. Doing so helps the enterprise deliver more functional applications to support the business, but it also broadens the attack surface.

These applications are not only tasked with meeting complex and evolving business process goals, but they must also comply with strict security, privacy and often compliance requirements. Despite allocating millions of dollars to developing these applications, enterprises still underinvest in a critical component: securing enterprise applications against attacks. As the pace of application development speeds up and the frequency of releases increases, how are enterprises ensuring those comprehensive security needs are being met?

In an ideal world, applications would always be coded securely, pass all vulnerability scans and penetration tests, and never encounter zero-day attacks. Unfortunately, there is no such thing as invulnerable code, and in a world of rapid software release cycles, remediation is often regarded as a burdensome task that slows down the pace of business and innovation.

To understand the relationship between application development and security requirements, Prevoty surveyed more than 200 application developers on the role of security and its influence on the development process.

EXECUTIVE SUMMARY

Page 3: THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 7 THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND

August 2015 prevoty.com

· 85 percent say vulnerability remediation has a significant impact on the ability to release applications and features on schedule and on budget.

· More than 70 percent admitted that business pressures to release application updates quickly often override security concerns.

· Nearly 80 percent of developers worry that their clients won’t trust their applications if they admit there is a security flaw.

· Nearly half (43 percent) admit to releasing applications with vulnerabilities at least 80 percent of the time.

3

Key takeaways from the survey responses include:

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT

THE BUSINESS PRESSURES OF RELEASING SECURE APPLICATIONS

Developers are faced with business pressures to release applications, update features and fix bugs quickly. More than half of survey respondents say they have a release cycle of one week or less, regardless of development workflow methodologies such as agile, SCRUM, Crystal, etc.

In the rush to release new versions or updates to applications, more than 70 percent admitted that business pressures to quickly release applications updates often override security concerns.

Page 4: THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 7 THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND

August 2015 prevoty.com

4THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT

FREQUENCY OF APPLICATION RELEASES

SAY THAT BUSINESS PRESSURES OVERRIDE SECURITY CONCERNS

In addition to business pressures, regulatory requirements also demand a developer’s attention. According to Prevoty’s research, nine out of 10 security respondents were concerned with regulatory compliance. More than half (54 percent) focused on HIPAA compliance, 42 percent focused on PCI, and more than a third focused on both SOX and FISMA.

COMPLIANCE AND REGULATORY CONCERNS

SAY THEY’LL LOSE CLIENT TRUST IF THERE IS A SECURITY FLAW

Furthermore, nearly 80 percent of developers worry that their clients won’t trust their applications if they admit there is a security flaw. Add the pressure of fast release cycles with the pressure to adhere to industry demands, and developers are working under multiple constraints at breakneck speeds to release new enterprise applications.

70%

78%

Page 5: THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 7 THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND

August 2015 prevoty.com

5

Since attack vectors are amorphous, constantly changing and evolving in subtle ways, developers may not be able to architect applications in ways that would prevent future, unknown attacks. How does someone who is not a hacker by nature stay ahead of never-before-seen attacks or new malware created by the hacking community? Application developers are in the business of building technology – not breaking it – so they may not always look at code in the same way that a hacker would.

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT

RELEASING ENTERPRISE APPLICATIONS WITH VULNERABILITIES

Given short release cycles and the increase in business pressures, development teams have adapted their security practices to try to keep up with emerging threats and attacks. The practices most frequently employed are application vulnerability scans, penetration tests and dedicated in-house security resources.

According to Prevoty research, at least 82% of respondents say their companies perform some vulnerability scanning and/or penetration testing prior to application release, the research revealed something peculiar and highly alarming: applications are still being released even before all known vulnerabilities can be fixed.

To be specific, nearly half (43 percent) admit to releasing applications with vulnerabilities at least 80 percent of the time. Think about that percentage for a moment. Eighty percent of the time developers release or update a production application, they are doing so with the knowledge that they are in fact vulnerable to attack.

PERCENTAGE OF APPLICATIONS RELEASED WITH SECURITY VULNERABILITIES

Page 6: THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 7 THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND

August 2015 prevoty.com

6

How is it that so many test and scan for vulnerabilities yet, despite these measures, openly admit that they are still releasing applications with known vulnerabilities? To understand this contradiction, it’s important to remember the business pressures of a large enterprise and the mission value of application development. After a scan takes place, it requires time, skill, patience and expertise to wade through vulnerability logs, rule out the false positives (reporting a vulnerability as present when in fact it non exists) remediate the code, re-test and re-release.

These code reviews, scans and tests can be limited in their effectiveness in servicing the true business needs of large organizations. These revelations tell us that developers want to follow best practices and comply with industry standards (or must do so for regulatory compliance reasons), using available tools to protect their applications.

The unfortunate truth is these existing tools don’t actually fix any of the vulnerabilities prior to deployment or help developers optimize their ability to detect and prevent actual malicious attacks on their production applications. Once an application is pushed into a live, runtime environment, most enterprises do not have a way of identify attacks hitting the applications so there is no view of the effectiveness of the vulnerability management program.

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT

VULNERABILITIES AND THE SIGNIFICANT IMPACT ON THE BUSINESS

Prevoty’s research reveals that application developers at large enterprises do understand how critical vulnerability remediation is for the business and the damage caused by a data breach, but 85 percent say vulnerability remediation has a significant impact on the ability to release applications and features on schedule and on budget.

For enterprises with more than 1,000 employees, that same response jumps to a staggering 93 percent. This is a deep pain point as developers, risk organizations and IT departments are always being judged on performance - constantly juggling the ability to release secure enterprise applications on schedule and on budget.

Page 7: THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 7 THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND

August 2015 prevoty.com

7THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT

THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND ON BUDGET

As discussed earlier, application developers are taking the precaution of running vulnerability scans, but even the most sophisticated scanners can’t identify all potential vulnerabilities in an application. Moreover, developers may not have the skills to scope and prioritize which vulnerabilities to remediate amidst the daily pressures of the business. The fact that so many enterprises are struggling with large vulnerability backlogs and making unfavorable tradeoffs between the demands of development and security is a testament to the inefficiencies of our current application protection and vulnerability management capabilities.

Given the destructiveness of a major data breach, it should be a business priority to make sure that all known vulnerabilities are being remediated. Unfortunately, at this time, the burden of the remediation process does not align developers with application security. Instead, it poses a threat to the goal of delivering business value to the organization at large.

Page 8: THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT · THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 7 THE IMPACT OF REMEDIATION ON THE ABILITY TO RELEASE APPLICATIONS ON TIME AND

August 2015 prevoty.com

The application development process is rife with security perils. From competing business pressures to secure code training to scanning false negatives, developers have their backs to the wall when it comes to developing and releasing applications that not only perform the function they are asked to perform, but also do so in a way that protects the company’s prized data.

Identifying vulnerabilities is an important part of the process, but nothing is actually solved without remediation actions. Prevoty’s research shows that remediation is a headache for developers -- significantly impeding their ability to release applications on time and on budget.

Moving beyond best practices for building code, if developers and their managers want to reduce their exposure to risk, they need to find scalable ways to ensure application security and consider technologies that will help reduce the pain and drain of remediation.

CONCLUSION

8THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT

METHODOLOGY

Prevoty surveyed more than 200 application and software developers in June 2015 through an online survey. Responses were collected from both male and female respondents, ages 18 and up, in the United States. Responses were voluntary and anonymous.


IMPACT OF TRANSGENIC CROPS ON GLOBAL FOOD SECURITY: …

IMPACT OF TRANSGENIC CROPS ON GLOBAL FOOD SECURITY: …

Documents
THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY · the impact of mobile devices on information security: a survey of it and security professionals october 2014 sponsored by

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY · the impact of mobile devices on information security: a survey of it and security professionals october 2014 sponsored by

Documents
The Nature and Impact of Illegal Immigration on … 2015 The Nature and Impact of Illegal Immigration on Security in Texas The Nature and Impact of Illegal Immigration on Security

The Nature and Impact of Illegal Immigration on … 2015 The Nature and Impact of Illegal Immigration on Security in Texas The Nature and Impact of Illegal Immigration on Security

Documents
On the Impact of Security Protocols on the Performance of SNMP

On the Impact of Security Protocols on the Performance of SNMP

Documents
Cyber Security & Fraud – The impact on small businesses

Cyber Security & Fraud – The impact on small businesses

Documents
Impact of Plugins on Web Application Security

Impact of Plugins on Web Application Security

Documents
TPPA and Impact on Agriculture, Food Security & Environment

TPPA and Impact on Agriculture, Food Security & Environment

Documents
biofuel impact on poverty & food security

biofuel impact on poverty & food security

Documents
Impact of Space Security Policies on the Wider ......Impact of Space Security Policies on the Wider International Security Environment Setsuko AOKI Professor of International Law,

Impact of Space Security Policies on the Wider ......Impact of Space Security Policies on the Wider International Security Environment Setsuko AOKI Professor of International Law,

Documents
The Impact of New Technologies on Peace, Security, … Impact of New Technologies on Peace, Security, and Development Independent Commission on Multilateralism April 2016 1 Introduction

The Impact of New Technologies on Peace, Security, … Impact of New Technologies on Peace, Security, and Development Independent Commission on Multilateralism April 2016 1 Introduction

Documents
Moving to Electronic Social Security Payments: Impact on

Moving to Electronic Social Security Payments: Impact on

Documents
PCD Impact Assessment on Food Security in Tanzania

PCD Impact Assessment on Food Security in Tanzania

Documents
AN IMPACT OF INFORMATION SECURITY BREACH ON HOTEL …

AN IMPACT OF INFORMATION SECURITY BREACH ON HOTEL …

Documents
The impact of mobile devices on information security

The impact of mobile devices on information security

Technology
Perceptions on the impact of metasip on food security in

Perceptions on the impact of metasip on food security in

Business
THE IMPACT OF ABSENTEEISM ON THE PRIVATE SECURITY …

THE IMPACT OF ABSENTEEISM ON THE PRIVATE SECURITY …

Documents
The Impact of Vendor Customizations on Android Security

The Impact of Vendor Customizations on Android Security

Documents
Operational Security: Impact on Developing Secure Applications

Operational Security: Impact on Developing Secure Applications

Technology
IMPACT OF PORT SECURITY ON THE USERS AND · PDF fileLiterature Review (3): On the impact of security on maritime transport & supply chain Assurance of security in maritime supply chains

IMPACT OF PORT SECURITY ON THE USERS AND · PDF fileLiterature Review (3): On the impact of security on maritime transport & supply chain Assurance of security in maritime supply chains

Documents
Caricom Impact On Food Security

Caricom Impact On Food Security

Education
The Impact of Fraud on UK National Security

The Impact of Fraud on UK National Security

Documents
Impact of Employment on Social Security Benefits · World Institute on Disability 1 Impact of Employment on Social Security Benefits The impact employment will have on benefits The

Impact of Employment on Social Security Benefits · World Institute on Disability 1 Impact of Employment on Social Security Benefits The impact employment will have on benefits The

Documents
THE IMPACT OF INFORMATION SECURITY AWARENESS TRAINING … · the impact of information security awareness training on information security behaviour anthony stephanou a research report

THE IMPACT OF INFORMATION SECURITY AWARENESS TRAINING … · the impact of information security awareness training on information security behaviour anthony stephanou a research report

Documents
The Impact Of Environmental Degradation On Security: A

The Impact Of Environmental Degradation On Security: A

Documents
Measuring impact on Household Food Security

Measuring impact on Household Food Security

Documents
Impact on IT on Security of banking MBA

Impact on IT on Security of banking MBA

Documents
Digital security - the impact on business and IT

Digital security - the impact on business and IT

Technology
MEASURING FINANCIAL IMPACT OF IT SECURITY ON …

MEASURING FINANCIAL IMPACT OF IT SECURITY ON …

Documents
IMPACT OF THE GDPR ON CYBER SECURITY OUTCOMES

IMPACT OF THE GDPR ON CYBER SECURITY OUTCOMES

Documents
Impact of globalization on water and food security

Impact of globalization on water and food security

Technology