The goal of Ponemon Institute’s Application Security in the DevOps Environment study, sponsored by HCL Software, was to better understand organizations’ ability to quickly detect, prioritize and repair vulnerabilities in their applications.
As such, Ponemon Institute surveyed 626 individuals who work in IT security, quality assurance or development roles. In addition, all of the survey respondents’ organizations utilize a DevOps approach that includes application security testing.
The goal of this blog is to recap our study’s key findings. For a complimentary copy of our comprehensive report, please click here.
Although the report is full of compelling findings about Application Security protection and DevOps usage, these findings proved to be the most compelling:
- Attacks against vulnerable applications are costlier that we might expect. In the past 12 months, organizations represented in the research incurred an average total economic loss of $12 million as a result of attacks against their vulnerable applications.
- Some of the surveyed organizations in our research incurred astonishing total economic losses that exceeded $100 million as a result of attacks against their vulnerable applications. To put the $100 million figure into perspective, it is also represents the average total IT budget for organizations who responded to the study.
- It can take nearly 8 months on average for an organization to identify an attack on its vulnerable applications and 6 months to recover from the attack.
- On average, 67% of business-critical applications are not continuously tested for vulnerabilities.
- 74% of respondents stated that many applications were delayed in their development cycles, due to code that needed to be evaluated for security concerns, which impacted the organizations’ release deadlines.
- 71% of respondents stated that lack of visibility and consistency in their DevOps security practices ultimately put customer and employee data at risk.
The study also shed light on several positive trends in Application Security and DevOps:
- Organizations are making significant investments in application security and DevOps. Of the average $100 million IT budget for the study’s respondents, nearly $25 million was allocated to application security activities and another $20 million was allocated to DevOps activities.
- Primary drivers for organizations’ security budgeting and investment decisions included the following: Reducing risk (65% of respondents); Meeting compliance/regulatory mandates (53% of respondents) and generating Return on Investment (ROI) (51% of respondents).
- When organizations perform application security testing, they utilize a variety of different testing methodologies, including DAST, SAST, IAST, SCA and Penetration Testing.
- In an especially promising sign, 49% of respondents say that their organizations empower developers to identify vulnerabilities within the coding process and 47% of respondents say their organizations ensure training on how to secure the coding process.
- 52% of respondents reported that automating vulnerability scanning at every stage of their Software Development Lifecycle (SDLC) was important to their organization, and 56% of respondents stated that fixing vulnerabilities quickly using automated tools was important.
Areas of Improvement
Finally, the study revealed several areas in which AppSec and DevOps professionals be more effective, and where additional progress clearly needs to be made:
- Not a single organization stated that it could prevent more than 50% of attacks against already deployed vulnerable applications, and 45% of respondents stated that their organizations could prevent fewer than 15% of such attacks.
- When an attack occurs against their vulnerable applications, organizations reported that they can detect and contain only 40% of those attacks on average.
- Nearly half of organizations test their applications on a quarterly basis or longer, with 6% of respondents stating their organizations test applications on a yearly basis. 25% of respondents said that their organizations had no planned testing cycles.
- For study respondents, staffing shortages represented the primary barrier to preventing attacks against vulnerable applications (63% of respondents). And, alert fatigue continued to be a significant concern, with 40% of respondents reporting that their appsec findings generated too much noise for them to be managed effectively.
- Only 38% of organizations report that they are able to fix vulnerabilities as early as possible.