SANS Survey: Closing the Gap in Application Security

Bethesda, Md. – The gap between application builders (developers and development organizations) and defenders (security and operations teams responsible for securing apps) is closing slightly, according to the SANS 2015 Survey on Application Security Practices.

"This year's survey shows that builders and defenders are finding better ways of working together," says SANS Analyst and lead author for the application security survey series Jim Bird.

That change is evident in the shared focus of the two groups surveyed. In the survey, 53% of respondents say their organizations are thinking about security starting at the planning/requirements phase of the application life cycle. Less than 10% now leave security to the last minute before product release.

Public-facing web, mobile and cloud applications are key development platforms for builders--and those same categories are of the greatest concern to defenders in terms of perceived risk. Budgets are being directed to these targeted areas, with 79% of respondents applying security resources to public-facing web applications, 62% to mobile applications and 53% to applications in private or public clouds.

However, when it comes to challenges in building or defending these applications, the goals of builders are different than the goals of defenders, indicating a continued chasm between security teams and developers.

For builders: Their challenges come from focusing on features and time-to-market concerns, as well as the lack of secure coding skills and management buy-in or funding.

For defenders: Because they handle the lion's share of application security after development, developers struggle with identifying all of the applications in a portfolio, fear of breaking an application, and navigating through organizational silos that make coordination of efforts more difficult.

"Continued outreach, education and cooperation between groups must continue to improve in order to overcome these challenges," says Bird.

Targeted, role-specific training in secure coding is essential for builders. But defenders and everyone who is involved in developing software should, at a minimum, understand the fundamental security risks and issues in application development and what their roles and responsibilities are.

"DevOps, new tools and training have helped builder and defender teams to work together," Bird adds. "But they are still too far apart when it comes to priorities and organizational challenges."

In fact, 47% of respondents believed their application security programs needed to be improved.

"Executive management is starting to understand the risks and costs of poor application security," Bird continues, "This still needs to be translated into action."

Full results will be shared during a two-part webcast. Part 1, Wednesday, May 13, 2015, at 1 PM EDT will focus on defender issues. Part 2, on Thursday, May 14, 2015, at 1 PM EDT will focus on builder issues. The series is sponsored by Hewlett-Packard, Qualys, Veracode, Waratek, and WhiteHat Security, and hosted by SANS. Register to attend Part 1 at and Part 2 at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analysts and application security experts, Jim Bird, Eric Johnson and Frank Kim.


#APPSEC Survey Results presented in 2 webcasts - REGISTER: PT 1, 5/13; PT 2, 5/14 #infosec

Update your #APPSEC Knowledge Base!! 2 Webcasts at 1pm EDT: MAY 13,; MAY 14, #infosec

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (