Professional Documents
Culture Documents
ExECut i v E S u m mA Ry
Application security is an essential tool for managing risks in todays increasingly dynamic and capable threat landscape. Yet the market for application security remains small, and organizations are making only tactical investments in application security measures. Evidence suggests that this trend will last for some time to come. However, the anticipation of an increasingly open and mobile enterprise should help refocus the spotlight on strategic investments in areas like application security. Security professionals who wish to see application security move up in ITs priority queue should take immediate steps such as demanding secure software from your suppliers and requiring rigorous acceptance tests for third-party code to help promote application security in the long run.
n ot E S & RE S o u RCE S
in developing this report, Forrester drew from a wealth of analyst experience, insight, and research through advisory and inquiry discussions with end users, vendors, and regulators across industry sectors.
Related Research Documents the Forrester Wave: vulnerability management, Q2 2010 July 15, 2010
Web Application Firewall: 2010 And Beyond February 8, 2010 Know your Code: How Static Analysis tools make Applications more Secure november 20, 2009 techRadar For SRm Professionals: Application Security, Q3 2009 July 8, 2009
2011 Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective owners. Reproduction or sharing of this content in any form without prior written permission is strictly prohibited. To purchase reprints of this document, please email clientsupport@ forrester.com. For additional reproduction and usage information, see Forresters Citation Policy located at www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
IT VIeWS APPLICATIoN SeCuRITy AS A PRIoRITy, BuT INVeSTmeNT RemAINS TeNTATIVe Of the 2,078 security decision-makers and influencers in Forresters Forrsights Security Survey, Q3 2010, 71% told us that application security would be a top initiative for them in 2011. However, it only ranked sixth out of 12 in the top IT security initiatives list (see Figure 1). Forrsights survey data from 2008 to 2010 shows that, as a security priority, application security took a big dip in ranking from 2008 to 2009 and only slightly recovered in 2010 (see Figure 2). A possible explanation for application securitys decline is that managing vulnerabilities and threats has increased steadily as a security priority from 2008 to 2010. Because application security has a significant impact on vulnerability management, one could infer that the spotlight is only shifting to a different perspective and that commitment to application security may not have declined in the final analysis. When we asked our respondents for their planned investment in application security, we found that investment level increased slightly from 2010 to 2011: 23% of the 2010 survey respondents indicated that their investment in application security would increase 5% to 10% for 2011, while only 15% gave the same answer in the 2009 survey (see Figure 3). In contrast, 33% of respondents said they would increase their investment in network security in 2011.1 These data results suggest a paradoxical situation: Although viewed as a priority by many IT security professionals, application security has not seen the appropriate commitment level reflected in ITs budget allocation. Empirical evidence corroborates this theory application security professionals often told us that they survive by scraping the bottom of the IT budget barrel.
Base: 2,058 North American and European IT executives and technology decision-makers Source: Forrsights Security Survey, Q3 2010
57677 Source: Forrester Research, Inc.
Base: 2,148 North American and European IT executives and technology decision-makers *Base: 2,199 North American and European IT executives and technology decision-makers Base: 2,058 North American and European IT executives and technology decision-makers Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2008 *Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009 Source: Forrsights Security Survey, Q3 2010
57677 Source: Forrester Research, Inc.
Increase 5% to 10%
23% 70%
63%
Decrease 5% to 10%
Dont know
Base: 2,199 North American and European IT executives and technology decision-makers *Base: 2,058 North American and European IT executives and technology decision-makers Source: Enterprise And SMB Security Survey, North America And Europe, Q3 2009 *Source: Forrsights Security Survey, Q3 2010
57677 Source: Forrester Research, Inc.
APPLICATIoN SeCuRITy PRACTICeS RemAIN TACTICAL AND ImmATuRe So what are organizations doing in terms of specific application security initiatives? We asked our respondents how they invest in individual application security measures. Thirty percent told us they have invested in penetration testing services, and 29% adopted application testing/scanning tools. In contrast, only 12% said they have adopted code-level analysis technologies and 16% reported the use of security architecture consulting service (see Figure 4). Forresters TechRadar for application security confirmed this data penetration testing services and application testing/scanning technologies are the two most widely deployed application security measures.2 This is a sign that the market is not yet mature, as penetration testing and application scanning are the two most tactical measures that often come at the conclusion of the development process. The more preventive and strategic measures, such as secure architecture design and codelevel analysis, are not nearly as widely deployed.
The reasons that we dont see many organizations invest in the strategic and preventive application security measures are twofold. First, development organizations often resist changes to existing development processes because developers are under tremendous time-to-market pressure; they view any additional tasks such as code-level analysis as nonessential and incommensurate with their goals. Second, its often difficult to persuade management to invest in proactive and strategic software security measures because they may take some time to produce a positive ROI.
Figure 4 Adoption Plans For Application Security technologies
What are your rms plans to adopt the following application security technologies?
Already adopted
Dont know
Code-level analysis tools and techniques (e.g., static analysis for source or binary code) 8% 6% Consulting services for application security 5% 8% architecture Consulting services for penetration testing 8% 7% Application security testing and 8% scanning tools
12%
Base: 1,032 North American and European IT executives and technology decision-makers Source: Forrsights Security Survey, Q3 2010
57677 Source: Forrester Research, Inc.
IN 2011, SeCuRITy PRoFeSSIoNALS NeeD To Be CReATIVe ABouT APPLICATIoN SeCuRITy Managing application security vulnerabilities should be an essential IT security practice. According to Verizon Business 2010 Data Breach Investigations Report, web application hacking was the No. 1 attack pathway for data breaches, accounting for 54% of all the breach incidents and 92% of all the records breached.3 Data breaches resulting from web application hacking are almost always accomplished through the exploitation of application vulnerabilities like SQL injection or cross-site scripting. If we dont improve application security at a larger scale, the industry will continue to be plagued with security incidents that result in data breaches or other consequences that are even more disastrous. Changing the attitude toward application security, however, would require a culture shift, a shift that places importance on proactive risk management rather than immediate ROI. This shift wont happen overnight. In the meantime, security professionals should follow these recommendations to implement a few immediate measures to effect positive changes:
Recommendation No. 1: Demand software quality and security from suppliers. Many
organizations today dont formally require their software suppliers to provide quality and secure software. This has resulted in an industry where time-to-market trumps all other considerations. If the buyer side starts to demand quality and security from software producers, this will incent them to invest more in application security measures. If youre a security professional in a buyers organization, you need to encourage your sourcing colleagues to view application security maturity as an essential vendor selection criteria and, as much as you can, demand software security and quality at the contractual level.
Recommendation No. 2: Perform stringent acceptance tests for third-party code. Beyond
contractual demands and careful vendor selection, another measure is acceptance tests for supplied code. Remember, without actual tests, theres no way of validating your vendors claims for quality and security. Perform penetration tests on the supplied code to check for common security vulnerabilities, such as cross-site scripting, code injection, and buffer overflows. You can perform the tests internally or contract a trusted third party. There are also code analysis services available for more in-depth assessments on binary code. Use such a service if your supplier consents.
Recommendation No. 3: Disable default accounts from applications. One of the simplest yet
most effective steps you can take is to disable all default accounts, passwords, and administrative information left in an application prior to production. Verizon Business data breach report indicated that 11% of data breaches were due to the use of default and easily guessable passwords. Disabling default accounts would eliminate a big threat vector for you. This is especially critical for vendor-supplied code, because you cant always count on your vendor to do the right thing. You need to make this a universal policy for all applications, as part of your change management practice.
applications going into production, establishing a secure configuration profile for the application and a prescriptive operational guide for the environment would save you a great deal of incident response, diagnosis, and forensics effort. For instance, before deployment, you need to ensure that network security and application monitoring/diagnostics mechanisms are in place.
software producer, one of the most effective ways you can improve application security is to establish a set of well-understood bug-reporting practices and channels. Ensure that you have designated personnel for tasks ranging from handling initial bug reports and interfacing with customers to dealing with resulting issues, performing bug analysis, determining priorities, chasing down root causes, and ultimately performing remediation. You also need to tie security bug fixes to a developers performance, in order to incent them to fix security issues.
Longer-Term efforts Require Commitment As the buyer side starts to demand secure software, the power balance will start to shift toward more strategic approaches to managing application-level risks. Information security professionals can encourage this change by engaging in these longer-term initiatives:
industry certification would bring formal recognition that a particular software-producing body has demonstrated a proficient level of application security practices and competence. The certification will carry with it credibility in the company and attestation of consistent training practices to maintain level of expertise and provide buyers a high level of confidence in software applications. Security professionals should engage with industry groups like OWASP or SANS to hammer out a set of certification requirements and work with vendors to ensure that proper verification of the requirements can take place.
methodology, such as Microsofts Security Development Lifecycle (SDL), and adapt it for your own environment. Implement more strategic and preventive security measures, such as threat modeling, secure design, and code-level analysis, throughout your application life cycle, from the requirement phase to production. In addition, put in place an accountability structure and incentive measures to further the cause of application security. Concrete examples of accountability measures include evaluating developers with security metrics, establishing common bug criteria across development and test, and placing explicit performance requirements for developers to work with security testers.
Continue to drive awareness of the changing threat landscape. Concerns over cybersecurity
and the changing threat landscape will drive demand for proactive measures, advanced analytics, and ultimately a more risk-centric approach to security. Driving awareness of cyberthreats will help application security professionals articulate business value alignment and procure justification for investments.
R E C o m m E n D At i o n S
Do your part to promote an application security ecosystem. Both buyers and producers
can play a role in this ecosystem. Buyers can demand secure software; producers in turn will demand the same from their software supply chain. third parties can play an independent
verification and certification role. the ecosystem is well-established when all involved parties anticipate secure software and everyone knows how to evaluate it.
eNDNoTeS
1
Source: Forrsights Security Survey, Q3 2010. Respondents indicate that data security and network security are the top two priorities for IT security. See the July 8, 2009, TechRadar For SRM Professionals: Application Security, Q3 2009 report. Source: Verizon Business, 2010 Data Breach Investigations Report (http://www.verizonbusiness.com/ resources/reports/rp_2010-data-breach-report_en_xg.pdf).
2 3
For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.
Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forwardthinking advice to global leaders in business and technology. Forrester works with professionals in 19 key roles at major companies providing proprietary research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 27 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com.
57677