Study: Application Vulnerabilities Are No. 1 Threat
Shortage of training among developers is a key cause of high vulnerability rates, (ISC)2 survey says
Application vulnerabilities are the top concern of security professionals, but development teams still are not well-trained in security issues, (ISC)2 warned this week.
In a release published Tuesday, (ISC)2 -- the security industry's largest professional association -- cited data from its recent 2013 Global Information Security Workforce Study, in which 69 percent of security pros rated application vulnerabilities as a high concern -- the highest rating of any threat in the survey.
More Security Insights
White PapersMore >>
- Agile Service Desk: Keeping Pace or Getting out Paced by New Technology?
- Inside Threats: Is Your Company at Risk?
Insecure software was a contributor in approximately one-third of attributable security breaches, according to the (ISC)2 study.
At the same time, the study cites a lack of security training in the application development process. Only 21 percent of information security professionals are involved in software development, 20 percent in software procurement, and 10 percent in outsourcing, (ISC)2 says. Most respondents (75 percent) become involved during the specification requirements phase of development.
Recent studies from Veracode and Cenzic indicate that most applications, even those that have been deployed for some time, contain security vulnerabilities.
"If we're going to eliminate vulnerabilities, security has to be a part of the development process all the way through, from design to retirement of the application," says Hord Tipton, executive director of (ISC)2. "It can't be bolted on after the application has already been developed."
(ISC)2 has developed the CSSLP, a program for certifying developers and security professionals in application security, but Tipton says it is experiencing slow growth of about 20 percent annually. Unlike (ISC)2's general security certification, the CISSP, the CSSLP is not frequently used as a requirement in hiring, he says.
"Nobody's really demanding that this problem get fixed," Tipton says. Almost half of security organizations in the study said they are not involved in the application development process at all, he notes.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.