Save $400 on 4-6 Day Cyber Security Courses at SANS Baltimore Fall 2018. Ends 7/18.


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS Survey: Closing the Gap in Application Security

Shared Focus; Differing Challenges; Training Needed

  • Bethesda, MD
  • May 4, 2015

The gap between application builders (developers and development organizations) and defenders (security and operations teams responsible for securing apps) is closing slightly, according to the SANS 2015 Survey on Application Security Practices.

"This year's survey shows that builders and defenders are finding better ways of working together," says SANS Analyst and lead author for the application security survey series Jim Bird.

That change is evident in the shared focus of the two groups surveyed. In the survey, 53% of respondents say their organizations are thinking about security starting at the planning/requirements phase of the application life cycle. Less than 10% now leave security to the last minute before product release.

Public-facing web, mobile and cloud applications are key development platforms for builders--and those same categories are of the greatest concern to defenders in terms of perceived risk. Budgets are being directed to these targeted areas, with 79% of respondents applying security resources to public-facing web applications, 62% to mobile applications and 53% to applications in private or public clouds.

However, when it comes to challenges in building or defending these applications, the goals of builders are different than the goals of defenders, indicating a continued chasm between security teams and developers.

For builders: Their challenges come from focusing on features and time-to-market concerns, as well as the lack of secure coding skills and management buy-in or funding.

For defenders: Because they handle the lion's share of application security after development, developers struggle with identifying all of the applications in a portfolio, fear of breaking an application, and navigating through organizational silos that make coordination of efforts more difficult.

"Continued outreach, education and cooperation between groups must continue to improve in order to overcome these challenges," says Bird.

Targeted, role-specific training in secure coding is essential for builders. But defenders and everyone who is involved in developing software should, at a minimum, understand the fundamental security risks and issues in application development and what their roles and responsibilities are.

"DevOps, new tools and training have helped builder and defender teams to work together," Bird adds. "But they are still too far apart when it comes to priorities and organizational challenges."

In fact, 47% of respondents believed their application security programs needed to be improved.

"Executive management is starting to understand the risks and costs of poor application security," Bird continues, "This still needs to be translated into action."

Full results will be shared during a two-part webcast. Part 1, Wednesday, May 13, 2015, at 1 PM EDT will focus on defender issues. Part 2, on Thursday, May 14, 2015, at 1 PM EDT will focus on builder issues. The series is sponsored by Hewlett-Packard, Qualys, Veracode, Waratek, and WhiteHat Security, and hosted by SANS. Register to attend Part 1 at and Part 2 at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analysts and application security experts, Jim Bird, Eric Johnson and Frank Kim.


#APPSEC Survey Results presented in 2 webcasts - REGISTER: PT 1, 5/13; PT 2, 5/14 #infosec

Update your #APPSEC Knowledge Base!! 2 Webcasts at 1pm EDT: MAY 13,; MAY 14, #infosec

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 30 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (