Takeaways from 2017 SANS State of Application Security Survey
Category : Rapid7
The training and research organization SANS recently released their 2017 State of Application Security survey results. The new report proves that now, more than ever, organizations need to invest in solutions that automate application security testing in order to reap benefits like:
- Identifying security vulnerabilities earlier in the development cycle, when they’re cheaper to fix.
- Reduced friction between Security and Development teams.
- Improved ability for Security to keep pace with the rapid rate of application development.
Here are some key takeaways from the report:
The Speed of Application Development Is Accelerating
According to the survey results, a surprising 43% of organizations are pushing out changes to their applications weekly, daily, or continuously. A number of technologies and trends are seeing widespread adoption, allowing development teams to release faster than ever. Agile software development practices, the move to the cloud, application containers, devops, continuous integration, and infrastructure-as-code are all contributing factors. As development accelerates, security unfortunately is finding it difficult to keep up.
Development Is Moving Faster, But What About Security?
Even though application development cycles are getting shorter, web application security testing is still occurring far too infrequently. 24% of organizations security test their applications once a year or less, and 10% are still not testing or assessing their business-critical applications at all. By far, the most common method of assessing the security of applications is internal penetration testing (66% of survey respondents), followed by penetration testing as a service]. Pen testing, although critical, occurs far too infrequently and is often too manual a process to be able to keep up with the rate at which developers are updating their applications.
So How are Leading Security Organizations Keeping Pace with Development?
Just to keep up, security teams are leaning heavily on automation to security test their applications. This means:
- Static Application Security Testing (SAST) integrated into automated build and in the developer’s IDE’s to catch vulnerabilities on the fly.
- Automated software composition analysis (SCA) to search for known vulnerabilities in open source and third party libraries.
- Container vulnerability and security scanning.
- Dynamic Application Security testing (DAST) scans run automatically in the continuous integration pipeline, alongside functional tests.
There are some trade-offs with automation; in order to have security assessments run quickly enough to not hinder the pace of development, the assessments typically are not comprehensive and focus mainly on critical vulnerabilities. Periodic pen testing, in-depth manual reviews, configuration audits, and deep web app scanning are still required to find vulnerabilities missed in end-to-end automated workflows.
What’s Rapid7’s Take?
Rapid7 is embracing automation in a big way, and we see it as a critical component of securing the modern network and bridging the gap between Security, IT, and Development teams. Rapid7’s application security solutions can be integrated into the software development lifecycle, so that scans are run automatically as part of the software delivery pipeline. To learn more, visit our solutions page.
Author: Alfred Chung