Saturday, February 27, 2016
As well as protecting your applications and the sensitive
data they contain, improving your application security can save your
organisation a great deal of time and expense.
Good application security training is a crucial first
step to improving your organisation’s application security. Today,
I’m looking at 6 statistics that demonstrate why application security training
is essential for protecting your organisation and its data.
1) At Least 70% of Vulnerabilities Exist in the
Application Layer
Gartner has estimated that
70% of all vulnerabilities are caused by poor application security – and other
researchers have estimated the figure to be as high as 90%.
While many organisations
assume that the network layer of their infrastructure is the primary source of
security vulnerabilities, it’s actually the application layer that poses the
biggest threat.
2) Only 1 in 40 Web Applications has a Web Application
Firewall
Web application firewalls (WAFs) inspect all traffic
flowing to web applications for common attacks, such as cross-site scripting, SQL injection, and command
injection.
Despite WAFs being able to
detect many of the most common web application vulnerabilities, on average only
1 in 40 applications in a recent study was found to use a web application
firewall to protect against common attacks.
3) 71% of Developers Believe Security is Not Addressed
During the SDLC
The sooner you catch a
vulnerability during the SDLC, the easier (and cheaper) it is to fix.
Despite the exponentially
growing cost and complexity of fixing application vulnerabilities after
deployment, more than two thirds of developers believe that their organisations
make no efforts to address security during the development life-cycle.
4) Only 22% of Developers Have Any Role in Testing
Application Security
Less than a quarter of
software developers have any active role in testing application security during
the SDLC.
This is because in most
organisations, security is a separate department and
the development team has very little security knowledge, making it harder to identify
and remediate vulnerabilities, and prevent them from making it into
the finished product.
5) 47% of Developers Have No Mandate to Fix Vulnerable
Code
Even worse: once a
vulnerability is detected, almost half of developers lack the authority to fix them.
Instead it is normally passed over to the security team, making the remediation
process longer and allowing more time for the vulnerability to be exploited.
If security isn’t
prioritised during the SDLC and developers aren’t involved in security testing
for their applications, they will make the same mistakes over and over, and
without mandate to remediate these vulnerabilities, this can cause significant
friction between your development and security teams.
6) 89% of Application Vulnerabilities Are in the Software
Code
This is compared with only
11% that are caused by application misconfiguration. This highlights the importance of educating your development team in secure coding best practices, to guard
against the most common application vulnerabilities such as those listed in the OWASP Top 10.
By teaching your developers
defensive coding, your organisation can reduce vulnerabilities at the source,
reducing the number of mistakes and loopholes that make it into the finished
code.
