Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Study: Application Vulnerabilities Are No. 1 Threat
Shortage of training among developers is a key cause of high vulnerability rates, (ISC)2 survey says
2 Min Read
Application vulnerabilities are the top concern of security professionals, but development teams still are not well-trained in security issues, (ISC)2 warned this week.
In a release published Tuesday, (ISC)2 -- the security industry's largest professional association -- cited data from its recent 2013 Global Information Security Workforce Study, in which 69 percent of security pros rated application vulnerabilities as a high concern -- the highest rating of any threat in the survey.
Insecure software was a contributor in approximately one-third of attributable security breaches, according to the (ISC)2 study.
At the same time, the study cites a lack of security training in the application development process. Only 21 percent of information security professionals are involved in software development, 20 percent in software procurement, and 10 percent in outsourcing, (ISC)2 says. Most respondents (75 percent) become involved during the specification requirements phase of development.
Recent studies from Veracode and Cenzic indicate that most applications, even those that have been deployed for some time, contain security vulnerabilities.
"If we're going to eliminate vulnerabilities, security has to be a part of the development process all the way through, from design to retirement of the application," says Hord Tipton, executive director of (ISC)2. "It can't be bolted on after the application has already been developed."
(ISC)2 has developed the CSSLP, a program for certifying developers and security professionals in application security, but Tipton says it is experiencing slow growth of about 20 percent annually. Unlike (ISC)2's general security certification, the CISSP, the CSSLP is not frequently used as a requirement in hiring, he says.
"Nobody's really demanding that this problem get fixed," Tipton says. Almost half of security organizations in the study said they are not involved in the application development process at all, he notes.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
More Insights
Webinars
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Events
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024
