Application Security,secure sdlc,TOFU,blogMAS Report provides insight on how to create an application security program, taking budget, governance, and relevant metrics into account.
Agile development, DevOps environments, and increasing regulatory stringency across the globe have created new pressure for security teams within financial institutions. A recent manifestation of this movement was the new PCI Software Security Framework, which included 2 new standards for payment applications vendors. With this new pressure, many organizations are now faced with the task of building application security programs that can help them meet new regulations at scale.
In 2017, Security Compass surveyed security leaders at top financial institutions across North America to learn about their application security practices, the key business drivers behind such application security practices, and technologies used to complete these activities. The final outcome of this research was a first industry benchmark report, called ‘Managing Application Security: Insights from Financial Institutions.’ The most striking finding was that, while most institutions (75%) expressed beliefs that application security was a high or critical priority, only half leveraged 3rd party security vendors to create a formal program and 74% believed that they had potential vulnerabilities that were undetected or unfixed.
Here, we will take an in-depth look at the results of our research. These results can be used as an industry standard to help financial institutions better understand how to effectively build application security programs within their own organizations.
Key Findings
The survey we used to collect research was distributed in person, by phone, and by video conference. We spoke to respondents from 28 of the largest banks, insurance companies, payments companies, and investment firms in North America.
For more details on the research methodology, download a complete copy of our report here.
•Nearly all respondents had secure coding standards and guidelines at hand, but the majority of those respondents were not able to validate whether those standards were being adhered to.
•Only 8% of respondents tracked the amount of money that they had spent on vulnerability remediation.
•Dynamic analysis security testing (DAST) and static analysis security testing (SAST) tools were ranked high as commonly performed security activities (4th and 6th out of 16, respectively), yet these tools only detect about half of all application-level vulnerabilities
•Despite using thirty-party vendors, less than 50% of respondents required these vendors to have an application security policy.
•In fact, only 8% of those who use third-party vendors provide detailed application security requirements as part of their third-party software vendor contracts.
Future Directions
The results of our research clearly indicate that the activities required to uphold efficient and reliable application security programs in financial organizations are not being adequately executed. As Rohit Sethi, our Chief Operating Officer, states, “simply selecting best practices from an SDLC framework may not result in an ability to execute. Organizations should select security activities that meet their risk reduction and scalability goals.” They should also, he says, “identify a trusted partner to help deploy an effective and budget-friendly AppSec program complete with training, expert consulting, and automation.”
To learn more about our SD Elements Solution, which combines automation, training, and services, contact us here.
To learn more about our research results, access the full Managing Application Security report here.