A large-scale survey of IT security professionals found that application security is the most pressing security problem facing them, beating out malicious software and mobile devices, according to a survey released by (ISC)2 and Frost & Sullivan.
The 2013 (ISC)2 Global Information Security Workforce Study ranked application security issues at the top of a list of survey – the same place it occupied in a similar survey in 2011. Application vulnerabilities were listed as a “top” or “high” concern for 69 percent of survey respondents. That’s a slight dip from 2011, when 73% of respondents named that as their top security threat. Malware, including viruses and worms, moved up to the #2 spot, with 67 percent of respondents listing it as a “high” concern or their “top” concern.
Now, if you follow security for any amount of time, you know that there are all kinds of surveys. Vendors survey their customers. Publications survey their readers. Random web sites survey random collections of folks who visit their site. There’s a lot of variability and survey results should always be taken with a grain of salt. That said, the (ISC)2 survey has some weight to it. First of all, it was conducted with the help of professionals (Frost & Sullivan as well as Booz Allen Hamilton), not the Director of Marketing of SecurityStuff Inc. Second, the sample population is large: 12,000 information security professionals.
The survey data concerning application security is revealing. Those surveyed didn’t just say they worried about the threat posed by application vulnerabilities, they also acknowledged that much of the blame lay within their organizations. Forty one percent of those surveyed listed “applications and system development security” as their second most urgent training need, after “information risk management” (the choice of 47% of those surveyed). “Many organizations have come to the realization that their own internally created software suffers from the same security risks as those coming from a vendor.”
When asked what aspects of software development held the most security concerns for them, respondents said it was early stage development that concerned them the most – not QA. Eighty one percent listed software “design” as the development task in need of better security, followed by “Specifying requirements” and “Testing, debugging or validation.”
That probably shouldn’t come as a surprise. IT security professionals are increasingly involved in software development. Fully 22% of those who took the (ISC)2 survey said that they were “personally involved in software development.” Of those respondents in the Americas region, the figure was 24%.
As this blog (and others) have noted on many occasions, more secure application development starts with better training for would-be application developers. That’s especially true as more and more applications make use of shared and open source components that speed development, but often at the price of security.
Chris Wysopal on Tuesday wrote about SAFECode, a program spearheaded by Adobe to offer free application security training to developers. With almost three quarters of applications submitted to CA Veracode failing to comply with enterprise security standards, any help is appreciated. The (ISC)2 survey is a reminder that, as the ranks of those involved in software development swell, so does the need for education about application security.