Speed of System Change and Application Security: Results of the SANS 2017 Application Security Survey

Bethesda, Md. – Fast development is actually improving application security, according to results of a new survey to be released in a two-part webcast hosted by SANS Institute on Tuesday, October 24 and Wednesday, October 25. Organizations able to make changes to their code continuously, daily or weekly are also fixing more security vulnerabilities than their slower-moving competitors, and with better results.

Fast development has resulted in many other improvements, according to results, including:

  • Breaking down traditional silos
  • Moving more responsibility for security testing directly to developers or cross-functional teams
  • Building up end-to-end workflow automation, which integrates security into Agile and DevOps toolchains so they can test security faster and more often

"The speed of software development is accelerating, and the technologies organizations use to support businesses are becoming more diverse," says Jim Bird, SANS Analyst and author of the survey report. "Together, those variables radically change how development teams - and their security/risk management teams - think and work."

Roughly 43% of respondents' organizations are pushing out changes weekly, daily or continuously, which constitutes the fast-moving organizations. But speed doesn't necessarily mean that organizations are subject to more breaches. In fact, only 15% of this year's respondents reported experiencing a breach over the past two years.

Of those that were breached, the biggest sources of breaches continued to be public-facing web applications and Windows OS, closely followed by legacy applications (which are often left untested because security teams either aren't aware of them or don't have access to their source code). Custom applications are another common target of attack.

"The sources of breaches don't change that much," says Eric Johnson, Application Security Curriculum product manager at SANS. "But application security teams must adapt to the increasing speed of development to successfully control their risks."

Fast-moving organizations test more frequently. This leads to more automation and embedded review processes. In the survey, 54% of organizations are employing automated code review and Static Application Security Testing (SAST).

"The faster an organization wants to move, the more it needs automation," says Frank Kim, the SANS Management and Software Security Curriculum lead. "But that automation comes with some trade-offs."

While organizations can run many automated tests, those tests must be highly targeted, leaving room for vulnerabilities to slip through, he continues. "Periodic pen testing, in-depth manual reviews, configuration auditing, deep scanning and fuzzing are still needed to find errors that escape tight automated loops."

Full results will be shared during a two-part webcast at 1 PM EDT on both Tuesday, October 24 and Wednesday, October 25, sponsored by Rapid7, Synposys, Tenable, Veracode, and WhiteHat Security, and hosted by SANS. Register to attend the webcasts at www.sans.org/webcasts/105210 and www.sans.org/webcasts/105215

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and application security expert, Jim Bird, with advice from Eric Johnson, Frank Kim and Barbara Filkins.

Tweet This:

SANS AppSec Survey 2-Part Webcast: Securing apps in a fast-paced world Oct 24 www.sans.org/webcasts/105210 | Oct 25 www.sans.org/webcasts/105215

Risks and rewards of fast-paced deployment cycles: Results of SANS AppSec survey revealed | www.sans.org/webcasts/105210

Learn how to protect containerized apps and mitigate breaches. Join us Oct. 25 | www.sans.org/webcasts/105215

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (https://www.sans.org)