Reducing Enterprise AppSec Risks: Ponemon Report Key Takeaways

Ponemon Institute’s Reducing Enterprise Application Security Risks: More Work Needs to Be Done looks at the reasons why many enterprises consider the application layer to be the highest security risk. Ponemon Institute, in partnership with Mend, surveyed 634 IT and IT security practitioners about their enterprises’ approach to securing applications. For this study, enterprise application security refers to the protection of applications from external attacks, privilege abuse, and data theft. 

Applications Are More Vulnerable to Attack

More than ever before, enterprises are concerned about application security. According to the survey, the top concern was hacks to insecure applications, with almost half of high-performing enterprises citing it as their greatest overall threat.

What Kinds of Hacks Concerns Your Organization the Most?

Enterprises Are Making Application Security a Priority

At any one point in time, an average of 2,672 business applications are deployed within the organizations represented in this research, and 30 percent of these applications are considered business critical. Securing all these disparate applications is no easy feat.

The good news is that more organizations are beginning to make application security a priority as shown by the adoption of a wide range of application security testing (AST) tools.

How does your organization secure applications?

More than one answer permitted.

Despite this increase in investment, many respondents reported a significant gap between the perceived risk of application security and the actual budget allocated to address it. More money is still being spent on network security even though the majority of those surveyed say it represents a lesser risk.

Addressing Vulnerabilities in Enterprise Applications

Why are applications such a big security risk? According to the enterprises surveyed, application security is challenging because current solutions don’t offer fast remediation of vulnerable applications and also suffer from a high rate of false positives. Furthermore, monitoring, detecting, and preventing attacks at the application level is still difficult. Unfortunately, the problem is only getting worse. The majority of respondents say in the past year alone that their enterprises’ portfolio of applications has become more vulnerable to attack.

Why is it difficult to remediate vulnerabilities in applications?

More than one answer permitted.

The research shows several reasons why business-critical applications continue to be at risk and why more work needs to be done:

• Remediating applications in production is slow work. More than half of respondents say it takes days, weeks, and even months to patch an application in production mode after the detection of a vulnerability.
• Collaboration between the application development and security teams is limited, according to 65 percent of respondents.
• Security is not adequately emphasized during the development of new applications, forcing both developers and security teams to play catchup.
• More investment needs to be made in application security, which isn’t funded at the same level that network security is. 
• Fewer organizations are building security features into applications under development. In 2020, only 21 percent of respondents say their organizations build security features into applications, a significant decrease from respondents five years ago.
• Security is not emphasized during the development of new applications. 

How Enterprises Reduce Application Security Risk

Some enterprises are more successful in reducing their overall risk when it comes to application security. In the report, we call them “high performers.” These enterprises follow several best practices to reduce their application security risk.

To better secure their applications to reduce risk, these organizations take the following steps:

• They establish a structured approach to build a secure software development life cycle (SSDLC) that is applied consistently across the enterprise.
• They ensure the SSDLC builds security features in at the design and development phases.
• The development and security teams operate in a highly collaborative environment to ensure the mitigation of application security risks.

The bottom line is that successful enterprises are those that make application security a priority throughout the SDLC from the very first stages of planning and development through to applications in production. Reducing application security risk depends in large part on an organization’s willingness to invest resources in it. Those that are most successful are both continuously detecting and remediating vulnerabilities using robust AST tools and have development and security teams that are constantly collaborating to secure the enterprise.

Meet The Author

Adam Murray

Adam Murray is a content writer at Mend. He began his career in corporate communications and PR, in London and New York, before moving to Tel Aviv. He’s spent the last ten years working with tech companies like Amdocs, Gilat Satellite Systems, Allot Communications, and Sisense. He holds a Ph.D. in English Literature. When he’s not spending time with his wife and son, he’s preoccupied with his beloved football team, Tottenham Hotspur.