Results of the SANS 2017 Application Security Survey
Fast development is actually improving application security, according to results of a new survey to be released in a two-part webcast hosted by SANS Institute on Tuesday, October 24 and Wednesday, October 25. Organizations able to make changes to their code continuously, daily or weekly are also fixing more security vulnerabilities than their slower-moving competitors, and with better results.
Fast development has resulted in many other improvements, according to results, including:
- Breaking down traditional silos
- Moving more responsibility for security testing directly to developers or cross-functional teams
- Building up end-to-end workflow automation, which integrates security into Agile and DevOps toolchains so they can test security faster and more often
“The speed of software development is accelerating, and the technologies organizations use to support businesses are becoming more diverse,” says Jim Bird, SANS Analyst and author of the survey report. “Together, those variables radically change how development teams—and their security/risk management teams—think and work.”
Roughly 43% of respondents’ organizations are pushing out changes weekly, daily or continuously, which constitutes the fast-moving organizations. But speed doesn’t necessarily mean that organizations are subject to more breaches. In fact, only 15% of this year’s respondents reported experiencing a breach over the past two years.
Of those that were breached, the biggest sources of breaches continued to be public-facing web applications and Windows OS, closely followed by legacy applications (which are often left untested because security teams either aren’t aware of them or don’t have access to their source code). Custom applications are another common target of attack.
“The sources of breaches don’t change that much,” says Eric Johnson, Application Security Curriculum product manager at SANS. “But application security teams must adapt to the increasing speed of development to successfully control their risks.”
Fast-moving organizations test more frequently. This leads to more automation and embedded review processes. In the survey, 54% of organizations are employing automated code review and Static Application Security Testing (SAST).
“The faster an organization wants to move, the more it needs automation,” says Frank Kim, the SANS Management and Software Security Curriculum lead. “But that automation comes with some trade-offs.”
While organizations can run many automated tests, those tests must be highly targeted, leaving room for vulnerabilities to slip through, he continues. “Periodic pen testing, in-depth manual reviews, configuration auditing, deep scanning and fuzzing are still needed to find errors that escape tight automated loops.”
Full results will be shared during a two-part webcast at 1 PM EDT on both Tuesday, October 24 and Wednesday, October 25, sponsored by Rapid7. Synposys, Tenable, Veracode, and WhiteHat Security, and hosted by SANS. Register to attend the webcasts at www.sans.org/u/wUu and www.sans.org/u/wUz
Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and application security expert, Jim Bird, with advice from Eric Johnson, Frank Kim and Barbara Filkins.
Source – PR Newswire
