Key findings from ESG’s Modern Application Development Security report
A deep dive into security issues
In August 2020, the Enterprise Strategy Group (ESG) published its report, “Modern Application Development Security.” ESG is a company specialized in IT-related research. It provides market intelligence to companies all over the world. To compile its report, ESG surveyed 378 cybersecurity, application development and IT professionals based in North America (the U.S. and Canada). Those professionals were involved to some extent in security work on application development processes and tools.
This article provides a summary of ESG’s Modern Application Development Security report. More specifically, it will discuss in detail the following findings:
- Many professionals wrongly believe their application security programs are secure
- The security of application development and deployment models needs to be ensured by using multiple security testing tools
- The security training of developers is inadequate
- The abundance of AppSec testing tools confuses organizations
- Many organizations invest or plan to invest in improving their application security processes
Many professionals wrongly believe their application security programs are secure
According to ESG’s Modern Application Development Security report, more than one-third of the interviewed professionals evaluated the security of their application security programs with a rating of 9 or 10 (0 to 10 range). The average rating of all responses is 7.92.
Despite the confidence of most professionals in the application security of their organizations, 60% of those interviewed reported vulnerabilities in their systems. Only 19% reported that their security analysts participate in daily meetings. Just 29% work with developers to do threat modeling, and 31% work directly with developers to review individual code and features. A positive finding of the report is that 78% stated their security analysts are directly engaged with their developers.
The security of application development and deployment models needs to be ensured by using multiple security testing tools
Nowadays, no single testing technique is sufficient to reduce application security risks to a reasonable level. Therefore, organizations need to utilize various testing techniques. The report has indicated that the most popular testing technique is API security vulnerability (ASV) scanning (used by 56% of the respondents). It is followed by infrastructure-as-code security tools (40%) and static application security testing (SAST) (40%). Only 16% of the interviewed professionals reported using fuzzing to identify security and stability issues, and 15% noted that they use container runtime configuration security tools.
The report also collected data about the challenges faced by the surveyed organizations about testing tools. Twenty-nine percent of those organizations admitted their developers lack the knowledge to mitigate the identified issues. Twenty-six percent revealed difficulties pertaining to the integration of different application security vendor tools or a complete lack of integration between such tools. Twenty-six percent pointed out that their testing tools add friction or slow down their development cycles.
The security training of developers is inadequate
Thirty-five percent of the surveyed organizations stated that less than half of their development teams participate in formal training. Just 15% of the organizations noted that all their developers are participating in security training. Less than 50% require their developers to undergo formal training more than once per year, and 1% do not have any security training for their developers.
The report also shows that many organizations expect their developers to self-educate on application security (16%) or utilize just-in-time training available from within security tools (17%). One-fifth of the respondents provide security training only at the time when their developers join their teams.
A particularly concerning statistic is that less than 50% of the organizations reported they have metrics that measure the efficacy of application security training programs — and 2% do not have any such metrics.
The abundance of AppSec testing tools confuses organizations
Seventy-two percent of the organizations admitted that they use more than 10 AppSec testing tools. The large number of tools makes their integration and management difficult. Thirty percent of the organizations found the large number of AppSec testing tools a significant problem. Fifty-four percent argued the large number of tools is a minor problem, but it becomes sometimes challenging. Only 16% did not find it a problem.
Many organizations invest or plan to invest in improving their application security processes
More than half of the surveyed organizations plan to significantly increase their spending (in comparison with the last year). Thirty-seven percent plan to moderately increase the spending, and 10% plan to keep the spending the same as the previous year. Despite their willingness to increase the spending on application security, only 30% of the organizations plan to protect more than 75% of their codebase in the next year.
Forty-three percent of the organizations plan to invest toward securing cloud application development processes. Thirty-four percent focus their investments on the consolidation of tools to simplify overall processes. Seventeen percent of the organizations reported their investments are focused on improving the efficacy of their application security programs.
A weakness in security
ESG’s Modern Application Development Security report indicates various weak security points in the application development processes of the respondents. For example, it has shown that there is overconfidence in the security of application development programs, whereas the reality is that more than half of the respondents reported vulnerabilities in their application development processes. The use of a large number of security testing tools significantly hampers the security testing processes of many organizations. The security training is often inadequate and, in some cases, is completely lacking. Despite the willingness of many organizations to invest in the improvement of their application security processes, only a small fraction of them plan to protect more than three-fourths of their codebase in the next year.
Organizations willing to prevent information security incidents and attacks can learn from the report and take measures to ensure that their systems and processes will not have the drawbacks mentioned.
Laliberte, B., ‘ESG Master Survey Results: Trends in Modern Application Environments’, esg-global.com, 19 December 2019. Available at https://www.esg-global.com/research/esg-master-survey-results-trends-in-modern-application-environments