SANS study: applications are not tested enough
Software development is increasingly entrusted to small and agile teams that can deliver executable applications and updates in a short period of time. Almost half (43 percent) of companies release new applications, updates or features on a weekly or daily basis. This brings corresponding challenges for IT security, as the SANS study shows.
61 percent of the study participants in the 2017 State of Application Security study of the SANS Institutes indicated that security breaches involve or are caused by public web applications. The application security problem arises because security testing is not yet an integral part of rapid development and update cycles - there is often not enough time for testing. However, good security testing in particular requires sufficient time to produce reliable results. "The pace of software development is increasing, and the technologies companies are using to support their businesses are becoming more diverse," says Jim Bird, SANS analyst and author of the study report. "Together, these variables are changing the way development teams think and work, and their security and Risk Management-teams radically."
Continuous safety testing is rare
The security of the applications used in companies is too often neglected. Only 12 percent of respondents say that their company carries out security tests on a continuous basis. This contrasts with more than one-third of respondents whose companies either test their applications once a year at most (24 percent) or do not test regularly at all (10 percent). Companies that regularly test their applications for vulnerabilities often do so using automated code reviews or static security testing (54 percent), which can be easily integrated into rapid development cycles. However, internal penetration testing is the most popular, with 71 percent of the companies surveyed performing it. 58 percent also use external providers for penetration testing.
Safety testing needs more exchange and new knowledge
The lack of time and integration of security testing is a big problem for application security. A number of hurdles stand in the way of a solution. A good third of respondents (34 percent) stated that it would be necessary to build a bridge between software development, security and Compliance to establish.
31 percent see the strong separation between the departments as a challenge. Respondents say that the security and development departments do not exchange enough information and there is a lack of contact with the other departments. Nearly a quarter of respondents (24 percent) said application security is not adequately funded and management is not engaged enough. The same proportion among respondents said the right skills, methods and tools for security testing are lacking.
Management must recognize the need to catch up
As the SANS study shows, there are systematic problems in the Application securityFirmly scheduled tests are missing from the development cycles. However, to establish these, the development, security and other business departments need to collaborate more. Worryingly, a quarter of respondents say basics such as current skills, methods and tools are missing. Here, management must ensure that the right methods and tools are provided and that the skills of IT security staff are up to date.
You can find the full study here
