Application vulnerabilities still a top security concern
Respondents to a new (ISC)2 study identified application vulnerabilities as their top security concern. A significant gap persists between software developers’ priorities and security professionals’ concerns.
Application developers continue to view security as an afterthought but security professionals recognize that applications represent the enterprise’s largest attack surface, ranging from mobile phones to iPads, tablets, and online banking tools.
The threat:
- Application vulnerabilities were identified as the number one security threat – 69 percent of professionals identified it as a high concern
- Software is most critical component to secure infrastructure – Above commercial software (61 percent) and hardware (53 percent) solutions, respondents identified secure software development as the highest rated tool necessary to secure an organization’s infrastructure
- The bigger the organization, the bigger the problem – Concerns around software security increase with company size, perhaps correlated with the greater amounts of software development in large companies, versus smaller companies that rely heavily on commercial applications
- Security’s soft underbelly – Insecure software was a contributor in approximately one-third of attributable security breaches.
The cause:
- Disconnect – Only 21 percent of information security professionals are involved in software development, 20 percent in procurement, and 10 percent in outsourcing. Most respondents (75 percent) become involved during the specification requirements phase of development.
- Lack of staff – Around half of employers see their security team as understaffed.
Other key findings include:
- Application vulnerabilities are the number one security concern for 72 percent of C-level executives.
- Almost half of security organizations are NOT involved in software development.
- Insecure software was a contributor in approximately one third of the 60 percent of detected security breaches in 2011.
- Application security, malware, and mobile threats top the list of external concerns.
“Without action, this soft underbelly of business and governmental entities has and will continue to be exposed with serious consequences—data breaches, disrupted operations, lost business, brand damage, and regulatory fines,” commented W. Hord Tipton,, executive director of (ISC)2. “Furthermore, deepening engagements in software development cannot occur in isolation or be the exclusive responsibility of the information security workforce. Other relevant functional groups—software developers, application owners, and the quality assurance and testing teams—must also internalize secure software development best practices and engage with information security professionals on a regular basis.”
While attackers and researchers continue to expose new application vulnerabilities, the most common application flaws are previous, rediscovered threats. For example, SQL injection and cross-site scripting (XSS) have appeared on the Open Web Application Security Project (OWASP) Top 10 list year after year over the past decade.
This high volume of known application vulnerabilities suggests that many development teams do not have the security resources needed to address all potential security flaws and that there is a clear shortage of qualified professionals with application security skills.