New ESG Research Report Outlines Best Practices for Effective Application Security Programs
New research from TechTarget’s Enterprise Strategy Group (ESG) has identified that organizations’ application security programs struggle to keep up with the pace of software development, and it reveals best practices to secure modern software applications.
As software delivery accelerates and the volume of releases increases rapidly, the risk from vulnerabilities and the threat of malicious packages grow, but the report, “Optimizing Application Security Effectiveness,” exposes some concerning findings about the readiness of companies to handle these issues.
The scale of the problem
69 percent of organizations have experienced at least one serious security incident from a software vulnerability in the last 12 months.
Nevertheless, only 52 percent of companies say they can effectively remediate a critical vulnerability, and even fewer ― just 41 percent ― are confident in their ability to manage the security and compliance risks associated with open source software components used within internally developed applications.
Key Best Practices for Effective Application Security Programs
Establish strong collaboration early
Organizations that report the ability to efficiently remediate vulnerabilities were much more likely to encourage collaboration between application development, security, and operations to build a culture of security (52% versus 34%).
Shift security responsibilities left – with security support
Organizations able to keep up with vulnerabilities are 3.3x more likely to have extensively incorporated security into development processes. These organizations are also more likely to have automated the identification and remediation of configuration and software vulnerabilities before deployment to production (78% versus 61%).
Security plays a centralized role
Companies that can efficiently remediate vulnerabilities were much more likely
to say their security team is entirely centralized and separate from development teams (53% versus 30%).
Know what’s in your code
Organizations able to efficiently remediate vulnerabilities were also more likely to say they view being able to answer questions about their code – such as knowing its source — as critical (49 percent vs. 31 percent).
Measuring Program Effectiveness: Preventing Incidents
Finally, companies that can keep up with critical vulnerabilities succeed with the ultimate KPI for application security programs: lower security incident rates. Organizations that report the ability to efficiently remediate vulnerabilities were nearly twice as likely to say they have not experienced any serious security incidents tied to a software vulnerability/web application exploit internally developed applications over the last 12 months.
It’s this combination of aligning development and security teams, a full understanding of application composition, the adoption of DevSecOps, and the management of dependencies and risk that results in robust application security without compromising the speed of development.
