Join us for the FREE Cyber Defense Forum | Live Online on October 9

Press

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






SANS Institute Application Security Survey Finds Sharp Increase in Formalized Appsec Programs but Lack of Skills Hindering Effective Programs

  • Bethesda, MD
  • February 3, 2014

SANS Institute today announced that in its recent survey of 488 IT professionals, an ongoing shortage of skills in application security is severely hampering the implementation of effective Appsec programs.

The 2014 Application Security Programs and Practices survey, sponsored by Hewlett-Packard, Qualys and Veracode, queried IT and security professionals about the current and future state of application security in their organizations.

"One thing that stands out this year is the increase in number of organizations with a formal application security program in place. Approximately 83% of respondents (up from 66%) have an Appsec program in place, and more than 37% (up from 33%) have a program that has been operating for more than five years," says SANS Analyst Frank Kim. "This indicates that a lot of progress is being made, but it also highlights that there is much more to do."

In the survey, more than 35% of respondents test the security of their business-critical applications on an ongoing basis, up from 23% in last year's survey. And, encouragingly, only a small percentage (fewer than 3%) of respondents left application security to chance and did not test at all.

The survey found that a lack of qualified staff and lack of skills are seen as the major inhibitors to instituting Appsec programs.

"This year's survey provides valuable and surprising insights into the challenges that organizations face today in implementing a successful Appsec program," says SANS Analyst Jim Bird. "It's not only funding and getting management buy-in--there are other, more fundamental problems, including a shortage of skills, that are preventing people from taking care of security where it makes the most difference, upfront in design and development."

Results and insights surrounding application security will be released during a webcast on Wednesday, February 12, at 1 PM EST. To register for the complimentary webcast please visit: http://www.sans.org/info/150770

Those who register for these webcasts will be given access to an advanced copy of the associated report developed by Jim Bird and Frank Kim.

The SANS Analyst Program, www.sans.org/reading_room/analysts_program, is part of the SANS Institute.

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (https://www.sans.org)