Ponemon Institute is pleased to present the results of Application Security in the Changing Risk
Landscape sponsored by F5. The purpose of this study is to understand how today’s security
risks are affecting application security. We surveyed 605 IT and IT security practitioners in the
United States who are involved in their organization’s application security activities.
The majority of respondents (57 percent) say it is the lack of visibility in the
application layer that is preventing a strong application security. In fact, 63 percent of respondents say attacks at the application
layer are harder to detect than at the network layer and 67 percent of
respondents say these attacks are more difficult to contain than at the network
Following are key takeaways from this research.
Lack of visibility in the application layer is the main barrier to achieving a
strong application security posture. Other significant barriers are created by
migration to the cloud (47 percent of respondents), lack of skilled or expert
personnel (45 percent of respondents) and proliferation of mobile devices (43 percent of
The frequency and severity of attacks on the application layer is considered greater than
at the network layer. Fifty percent of respondents (29 percent + 21 percent) say the application is attacked more and 58 percent of respondents (33 percent + 21 percent) say attacks are more severe than at the network layer. In the past 12 months, the most common security incidents due to insecure applications were: SQL injections (29 percent), DDoS (25 percent) and Web fraud (21 percent).
Network security is better funded than application security. On average, 18 percent of the IT security budget is dedicated to application security. More than double that amount (an average of 39 percent) is allocated to network security. As a consequence, only 35 percent of respondents say their organizations have ample resources to detect vulnerabilities in applications, and 30 percent of respondents say they have enough resources to remediate vulnerabilities in applications.
Accountability for the security of applications is in a state of flux. Fifty-six percent of
respondents believe accountability for application security is shifting from IT to the end user or
application owner. However, at this time responsibility for ensuring the security of applications is dispersed throughout the organization. While 21 percent of respondents say the CIO or CTO is accountable, another 20 percent of respondents say no one person or department is responsible.
Twenty percent of respondents say business units are accountable and 19 percent of
respondents say the head of application development is accountable.
Shadow IT affects the security of applications. Respondents estimate that on average their
organizations have 1,175 applications and an average of 33 percent are considered mission
critical. Sixty-six percent of respondents are only somewhat confident (23 percent) or have no
confidence (43 percent) they know all the applications in their organizations. Accordingly, 68
percent of respondents (34 percent + 34 percent) say their IT function does not have visibility into all the applications deployed in their organizations and 65 percent of respondents (32 percent + 33 percent) agree that Shadow IT is a problem.
Mobile and business applications in the cloud are proliferating. An average of 31 percent of
business applications are mobile apps and this will increase to 38 percent in the next 12 months. Today, 37 percent of business applications are in the cloud and this will increase to an average of 46 percent.
The growth in mobile and cloud-based applications is seen as significantly affecting
application security risk. Sixty percent of respondents say mobile apps increase risk (25
percent) or increase risk significantly (35 percent). Fifty-one percent of respondents say cloud based applications increase risk (25 percent) or increase risk significantly (26 percent).
Hiring and retaining skilled and qualified application developers will improve an
organization’s security posture. Sixty-nine percent of respondents believe the shortage of
skilled and qualified application developers puts their applications at risk. Moreover, 67 percent of respondents say the “rush to release” causes application developers in their organization to
neglect secure coding procedures and processes.
Cyber security threats will weaken application security programs, but new IT security and
privacy compliance requirements will strengthen these programs. Eighty-eight percent of
respondents are concerned that new and emerging cyber security threats will affect the security
of applications. In contrast, 54 percent of respondents say new and emerging IT security and
privacy compliance requirements will help their security programs. According to respondents,
there are more trends expected to weaken application security than will strengthen security.
The responsibility for securing applications will move closer to the application developer.
Sixty percent of respondents anticipate the applications developer will assume more responsibility for the security of applications. Testing for vulnerabilities should take place in the design and development phase of the system development life cycle (SDLC). Today, most applications are tested in the launch or post-launch phase (61 percent). In the future, the goal is to perform more testing in the design and development phase (63 percent).
Do secure coding practices affect the application delivery cycle? Fifty percent of
respondents say secure coding practices, such as penetration testing, slow down the application delivery cycle within their organizations significantly (12 percent of respondents) or some slowdown (38 percent of respondents). However, 44 percent of respondents say there is no slowdown.
How secure coding practices will change. The secure coding practices most often performed
today are: run applications in a safe environment (67 percent of respondents), use automated
scanning tools to test applications for vulnerabilities (49 percent of respondents) and perform
penetration testing procedures (47 percent of respondents). In the next 24 months, the following practices will most likely be performed: run applications in a safe environment (80 percent of respondents), monitor the runtime behavior of applications to determine if tampering has occurred (65 percent