Editor's Note: This guest blog post is from Frank Kim, head of the Developer curriculum at the SANS Institute. For the second year in a row Jim Bird and I have helped SANS put together a "Survey on Application Security Programs and Practices". We asked some of the same questions as the previous year, just in a different way. Some interesting trends this year, as taken from the executive summary of the soon to be published paper, include the following:
- There was a significant improvement in the number of organizations implementing application security programs and practices. The percentage of organizations that have an active Appsec program increased from 66% last year to 83% this year--and many of the organizations that do not have a program in place yet are at least following some kind of ad hoc security practices. - Organizations are testing more frequently. In this year's survey, more than one-third are doing continuous, ongoing security testing of their applications, whereas only 23% indicated doing so in our previous survey. - Organizations continue to face the same kinds of challenges in getting management buy-in for application security programs. But the leading inhibitor for putting effective Appsec programs in place is now a shortage of application security skills, whereas in last year's survey, the leading inhibitor was management buy-in and funding. In this year's survey, organizations also ranked technical resources to maintain security in production their fourth most difficult problem.
To find out more please register for our complimentary webcast on Wednesday, February 12 at http://www.sans.org/info/150770. If you register for the webcast you'll get an advance copy of the paper that will be published in the SANS Reading Room at http://www.sans.org/reading-room/analysts-program.
Authors Bio: Frank Kim is a security leader with over 16 years of experience in information security, risk management, and enterprise IT. He has a passion for developing security strategies and building teams focused on practical solutions to business risks. He currently serves as the curriculum lead for application security at the SANS Institute and is the author and an instructor for the Secure Coding in Java course. Frank is a popular public speaker and has presented at security, software development, and leadership events around the world.