April 12, 2011

Application Security: 2011 And Beyond

by Chenxi Wang, Ph.D. for Security & Risk Professionals

Making Leaders Successful Every Day

For Security & Risk Professionals

Application Security: 2011 And Beyond

by Chenxi Wang, Ph.D. with Stephanie Balaouras, Chris Sherman, and lindsey Coit

April 12, 2011

organizations Remain tentative in Application Security investment

ExECut i v E S u m mA Ry
Application security is an essential tool for managing risks in todays increasingly dynamic and capable threat landscape. Yet the market for application security remains small, and organizations are making only tactical investments in application security measures. Evidence suggests that this trend will last for some time to come. However, the anticipation of an increasingly open and mobile enterprise should help refocus the spotlight on strategic investments in areas like application security. Security professionals who wish to see application security move up in ITs priority queue should take immediate steps such as demanding secure software from your suppliers and requiring rigorous acceptance tests for third-party code to help promote application security in the long run.

tABl E o F Co ntE ntS

2 IT Views Application Security As A Priority, But Investment Remains Tentative 5 Application Security Practices Remain Tactical And Immature 6 In 2011, Security Professionals Need To Be Creative About Application Security longer-term Efforts Require Commitment
RECommEnDAtionS

n ot E S & RE S o u RCE S
in developing this report, Forrester drew from a wealth of analyst experience, insight, and research through advisory and inquiry discussions with end users, vendors, and regulators across industry sectors.

8 Application Security Is A Long-Term Initiative

Related Research Documents the Forrester Wave: vulnerability management, Q2 2010 July 15, 2010
Web Application Firewall: 2010 And Beyond February 8, 2010 Know your Code: How Static Analysis tools make Applications more Secure november 20, 2009 techRadar For SRm Professionals: Application Security, Q3 2009 July 8, 2009

2011 Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective owners. Reproduction or sharing of this content in any form without prior written permission is strictly prohibited. To purchase reprints of this document, please email clientsupport@ forrester.com. For additional reproduction and usage information, see Forresters Citation Policy located at www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

Application Security: 2011 And Beyond

For Security & Risk Professionals

IT VIeWS APPLICATIoN SeCuRITy AS A PRIoRITy, BuT INVeSTmeNT RemAINS TeNTATIVe Of the 2,078 security decision-makers and influencers in Forresters Forrsights Security Survey, Q3 2010, 71% told us that application security would be a top initiative for them in 2011. However, it only ranked sixth out of 12 in the top IT security initiatives list (see Figure 1). Forrsights survey data from 2008 to 2010 shows that, as a security priority, application security took a big dip in ranking from 2008 to 2009 and only slightly recovered in 2010 (see Figure 2). A possible explanation for application securitys decline is that managing vulnerabilities and threats has increased steadily as a security priority from 2008 to 2010. Because application security has a significant impact on vulnerability management, one could infer that the spotlight is only shifting to a different perspective and that commitment to application security may not have declined in the final analysis. When we asked our respondents for their planned investment in application security, we found that investment level increased slightly from 2010 to 2011: 23% of the 2010 survey respondents indicated that their investment in application security would increase 5% to 10% for 2011, while only 15% gave the same answer in the 2009 survey (see Figure 3). In contrast, 33% of respondents said they would increase their investment in network security in 2011.1 These data results suggest a paradoxical situation: Although viewed as a priority by many IT security professionals, application security has not seen the appropriate commitment level reflected in ITs budget allocation. Empirical evidence corroborates this theory application security professionals often told us that they survive by scraping the bottom of the IT budget barrel.

April 12, 2011

2011, Forrester Research, inc. Reproduction Prohibited

Application Security: 2011 And Beyond

For Security & Risk Professionals

Figure 1 major it Security Challenges

Which of the following initiatives are likely to be your rms/organizations top IT security priorities over the next 12 months? (Respondents selecting High or Critical priority) Data security Managing vulnerabilities and threats Business continuity/disaster recovery Cutting costs and/or increasing efciency Managing information risk Application security Regulatory compliance Aligning IT security with the business Identity and access management User security training and awareness Implementing our security requirements on business partners/third parties Security outsourcing 11% 38% 88% 84% 80% 74% 72% 71% 71% 68% 61% 56%

Base: 2,058 North American and European IT executives and technology decision-makers Source: Forrsights Security Survey, Q3 2010
57677 Source: Forrester Research, Inc.

2011, Forrester Research, inc. Reproduction Prohibited

April 12, 2011

Application Security: 2011 And Beyond

For Security & Risk Professionals

Figure 2 Changes of it Security Priorities From 2008 to 2010

Which of the following initiatives are likely to be your firms/organizations top IT security priorities over the next 12 months? (Those who answered Critical priority or Top priority) 90% 85% 80% 75% 70% 65% 60% 0% 2008 2009* Identity and access management 2010 Data security Managing vulnerability and complex threats Business continuity/disaster recovery Application security Regulatory compliance

Base: 2,148 North American and European IT executives and technology decision-makers *Base: 2,199 North American and European IT executives and technology decision-makers Base: 2,058 North American and European IT executives and technology decision-makers Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2008 *Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009 Source: Forrsights Security Survey, Q3 2010
57677 Source: Forrester Research, Inc.

April 12, 2011

2011, Forrester Research, inc. Reproduction Prohibited

Application Security: 2011 And Beyond

For Security & Risk Professionals

Figure 3 Application Security Spending increases Slightly From 2010 to 2011

How do you expect your rms security spending in the following technology areas will change from 2010 to 2011? Application security (Including application and code testing, web application rewalls, secure development life-cycle tools, SOA/XML rewalls) Increase more than 10% 5% 3% 15% 2009 2010*

Increase 5% to 10%

23% 70%

Stay about the same 4% 2% 2% 1% 5% 7%

63%

Decrease 5% to 10%

Decrease more than 10%

Dont know

Base: 2,199 North American and European IT executives and technology decision-makers *Base: 2,058 North American and European IT executives and technology decision-makers Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009 *Source: Forrsights Security Survey, Q3 2010
57677 Source: Forrester Research, Inc.

APPLICATIoN SeCuRITy PRACTICeS RemAIN TACTICAL AND ImmATuRe So what are organizations doing in terms of specific application security initiatives? We asked our respondents how they invest in individual application security measures. Thirty percent told us they have invested in penetration testing services, and 29% adopted application testing/scanning tools. In contrast, only 12% said they have adopted code-level analysis technologies and 16% reported the use of security architecture consulting service (see Figure 4). Forresters TechRadar for application security confirmed this data penetration testing services and application testing/scanning technologies are the two most widely deployed application security measures.2 This is a sign that the market is not yet mature, as penetration testing and application scanning are the two most tactical measures that often come at the conclusion of the development process. The more preventive and strategic measures, such as secure architecture design and codelevel analysis, are not nearly as widely deployed.

2011, Forrester Research, inc. Reproduction Prohibited

April 12, 2011

Application Security: 2011 And Beyond

For Security & Risk Professionals

The reasons that we dont see many organizations invest in the strategic and preventive application security measures are twofold. First, development organizations often resist changes to existing development processes because developers are under tremendous time-to-market pressure; they view any additional tasks such as code-level analysis as nonessential and incommensurate with their goals. Second, its often difficult to persuade management to invest in proactive and strategic software security measures because they may take some time to produce a positive ROI.
Figure 4 Adoption Plans For Application Security technologies
What are your rms plans to adopt the following application security technologies?

Planning to implement in the next 12 months

Planning to implement in a year or more

Already adopted

Not interested or no plans to adopt

Dont know

Code-level analysis tools and techniques (e.g., static analysis for source or binary code) 8% 6% Consulting services for application security 5% 8% architecture Consulting services for penetration testing 8% 7% Application security testing and 8% scanning tools

12% 16% 30% 29%

66% 8% 65% 6% 50% 5% 47% 4%

12%

Base: 1,032 North American and European IT executives and technology decision-makers Source: Forrsights Security Survey, Q3 2010
57677 Source: Forrester Research, Inc.

IN 2011, SeCuRITy PRoFeSSIoNALS NeeD To Be CReATIVe ABouT APPLICATIoN SeCuRITy Managing application security vulnerabilities should be an essential IT security practice. According to Verizon Business 2010 Data Breach Investigations Report, web application hacking was the No. 1 attack pathway for data breaches, accounting for 54% of all the breach incidents and 92% of all the records breached.3 Data breaches resulting from web application hacking are almost always accomplished through the exploitation of application vulnerabilities like SQL injection or cross-site scripting. If we dont improve application security at a larger scale, the industry will continue to be plagued with security incidents that result in data breaches or other consequences that are even more disastrous. Changing the attitude toward application security, however, would require a culture shift, a shift that places importance on proactive risk management rather than immediate ROI. This shift wont happen overnight. In the meantime, security professionals should follow these recommendations to implement a few immediate measures to effect positive changes:

April 12, 2011

2011, Forrester Research, inc. Reproduction Prohibited

Application Security: 2011 And Beyond

For Security & Risk Professionals

Recommendation No. 1: Demand software quality and security from suppliers. Many

organizations today dont formally require their software suppliers to provide quality and secure software. This has resulted in an industry where time-to-market trumps all other considerations. If the buyer side starts to demand quality and security from software producers, this will incent them to invest more in application security measures. If youre a security professional in a buyers organization, you need to encourage your sourcing colleagues to view application security maturity as an essential vendor selection criteria and, as much as you can, demand software security and quality at the contractual level.

Recommendation No. 2: Perform stringent acceptance tests for third-party code. Beyond

contractual demands and careful vendor selection, another measure is acceptance tests for supplied code. Remember, without actual tests, theres no way of validating your vendors claims for quality and security. Perform penetration tests on the supplied code to check for common security vulnerabilities, such as cross-site scripting, code injection, and buffer overflows. You can perform the tests internally or contract a trusted third party. There are also code analysis services available for more in-depth assessments on binary code. Use such a service if your supplier consents.

Recommendation No. 3: Disable default accounts from applications. One of the simplest yet

most effective steps you can take is to disable all default accounts, passwords, and administrative information left in an application prior to production. Verizon Business data breach report indicated that 11% of data breaches were due to the use of default and easily guessable passwords. Disabling default accounts would eliminate a big threat vector for you. This is especially critical for vendor-supplied code, because you cant always count on your vendor to do the right thing. You need to make this a universal policy for all applications, as part of your change management practice.

Recommendation No. 4: Establish a secure operational environment for apps. For

applications going into production, establishing a secure configuration profile for the application and a prescriptive operational guide for the environment would save you a great deal of incident response, diagnosis, and forensics effort. For instance, before deployment, you need to ensure that network security and application monitoring/diagnostics mechanisms are in place.

Recommendation No. 5: Implement effective bug-reporting and handling. If youre a

software producer, one of the most effective ways you can improve application security is to establish a set of well-understood bug-reporting practices and channels. Ensure that you have designated personnel for tasks ranging from handling initial bug reports and interfacing with customers to dealing with resulting issues, performing bug analysis, determining priorities, chasing down root causes, and ultimately performing remediation. You also need to tie security bug fixes to a developers performance, in order to incent them to fix security issues.

2011, Forrester Research, inc. Reproduction Prohibited

April 12, 2011

Application Security: 2011 And Beyond

For Security & Risk Professionals

Longer-Term efforts Require Commitment As the buyer side starts to demand secure software, the power balance will start to shift toward more strategic approaches to managing application-level risks. Information security professionals can encourage this change by engaging in these longer-term initiatives:

Work toward an industry certification program for secure development practices. An

industry certification would bring formal recognition that a particular software-producing body has demonstrated a proficient level of application security practices and competence. The certification will carry with it credibility in the company and attestation of consistent training practices to maintain level of expertise and provide buyers a high level of confidence in software applications. Security professionals should engage with industry groups like OWASP or SANS to hammer out a set of certification requirements and work with vendors to ensure that proper verification of the requirements can take place.

Implement an application security program. Adopt a prescriptive application security

methodology, such as Microsofts Security Development Lifecycle (SDL), and adapt it for your own environment. Implement more strategic and preventive security measures, such as threat modeling, secure design, and code-level analysis, throughout your application life cycle, from the requirement phase to production. In addition, put in place an accountability structure and incentive measures to further the cause of application security. Concrete examples of accountability measures include evaluating developers with security metrics, establishing common bug criteria across development and test, and placing explicit performance requirements for developers to work with security testers.

Continue to drive awareness of the changing threat landscape. Concerns over cybersecurity

and the changing threat landscape will drive demand for proactive measures, advanced analytics, and ultimately a more risk-centric approach to security. Driving awareness of cyberthreats will help application security professionals articulate business value alignment and procure justification for investments.

R E C o m m E n D At i o n S

APPLICATIoN SeCuRITy IS A LoNg-TeRm INITIATIVe

to improve application security, companies and security professionals should work in a concerted fashion to cultivate a culture that values and promotes application security. to help usher in such a culture, security professionals should:

Do your part to promote an application security ecosystem. Both buyers and producers
can play a role in this ecosystem. Buyers can demand secure software; producers in turn will demand the same from their software supply chain. third parties can play an independent

April 12, 2011

2011, Forrester Research, inc. Reproduction Prohibited

Application Security: 2011 And Beyond

For Security & Risk Professionals

verification and certification role. the ecosystem is well-established when all involved parties anticipate secure software and everyone knows how to evaluate it.

use mobile proliferation as a catalyst for application security. Application development

houses are taking notice of the increasing popularity of smartphones and tablets. many have plans in place to develop customer-facing and corporate-oriented mobile applications. As the modern mobile devices get closer and closer to PC functionality, security for mobile applications will step into the spotlight. Security professionals can use this opportunity to drive awareness and demand for application security measures and programs.

eNDNoTeS
1

Source: Forrsights Security Survey, Q3 2010. Respondents indicate that data security and network security are the top two priorities for IT security. See the July 8, 2009, TechRadar For SRM Professionals: Application Security, Q3 2009 report. Source: Verizon Business, 2010 Data Breach Investigations Report (http://www.verizonbusiness.com/ resources/reports/rp_2010-data-breach-report_en_xg.pdf).

2 3

2011, Forrester Research, inc. Reproduction Prohibited

April 12, 2011

making leaders Successful Every Day

Headquarters Forrester Research, Inc. 400 Technology Square Cambridge, MA 02139 USA Tel: +1 617.613.6000 Fax: +1 617.613.5000 Email: forrester@forrester.com Nasdaq symbol: FORR www.forrester.com For a complete list of worldwide locations visit www.forrester.com/about. Research and Sales Offices Forrester has research centers and sales offices in more than 27 cities internationally, including Amsterdam; Cambridge, Mass.; Dallas; Dubai; Foster City, Calif.; Frankfurt; London; Madrid; Sydney; Tel Aviv; and Toronto.

For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forwardthinking advice to global leaders in business and technology. Forrester works with professionals in 19 key roles at major companies providing proprietary research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 27 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com.

57677