Focus Shift: From the Critical Five Percent to the Entire Application Infrastructure

By Jasmine Noel

Share this article:

21906762_m_2.jpg

The IDG study found that more than sixty percent of internally developed applications are not assessed for critical security vulnerabilities such as SQL Injection.

 

Later this week I’ll be joining IDG Market Research Manager, Perry Laberis for a webinar to discuss a study on how application infrastructures are changing and how security teams will keep up with those changes to manage enterprise risk. At CA Veracode this is a very important discussion because we know that applications are the lifeblood of every enterprise. The last time we did a survey like this we found that focus had shifted from securing only mission critical applications to instead a broader and better understanding of your entire application infrastructure. Discussions with our customers showed that they were increasingly concerned about their entire application infrastructure. They are concerned because attackers are using well known vulnerabilities in low priority applications as a stepping stone to get access to more valuable data. For example, we’ve known how to find, fix and prevent SQL injection vulnerabilities for 20+ years. Yet it still shows up — and is exploitable — in modern web applications. It’s still showing up in enterprise application infrastructures because most enterprise development teams are not required to find and fix security vulnerabilities. The IDG study found that more than sixty percent of internally developed applications are not assessed for critical security vulnerabilities such as SQL Injection. So there is this gap between what people worried about securing two years ago and what they are worried about now. The fundamental question our customers are asking us is – how can they go further faster? They also ask us a lot of questions about what are other people doing:

• What baseline should I be comparing myself to – tell me what my peer group is doing and who it doing appsec best?
• What does their current coverage look like?
• How fast is their application infrastructure growing?
• How much are they spending to get that coverage and what are the spending it on?
• How do my peers drive up adoption of secure development practices across all of their development teams?
• What are the critical factors for success and how do I benchmark my progress?

That’s a broad range of topics – so we decided it would be best to get systematic about getting answers to these types of questions. The research results Perry and I will be discussing are the beginning a whole series of efforts to deliver answers for our customers. I hope you find the insights valuable and that you will give us suggestions on how to make it even more relevant to your particular challenges. Register for the webinar.

By Jasmine Noel

At CA Veracode, Jasmine’s efforts are focused around market research, content development and sales enablement efforts. Previously, Jasmine was a founding partner of Ptak/Noel, an industry analyst and marketing consulting firm. Prior to that she also served as director of systems and applications management at Hurwitz Group, and senior analyst at D.H. Brown Associates. Jasmine holds a bachelor of science from the Massachusetts Institute of Technology and a master of science from the University of Southern California.