Oct 20, 2017
As well as protecting your applications and the sensitive data they contain, improving your application security can save your organisation a great deal of time and expense. Good application security training is a crucial first step to improving your organisation’s application security. Today, We're looking at 6 statistics that demonstrate why application security training is essential for protecting your organisation and its data.
1) At Least 70% of Vulnerabilities Exist in the Application Layer
Gartner has estimated that 70% of all vulnerabilities are caused by poor application security – and other researchers have estimated the figure to be as high as 90%.While many organisations assume that the network layer of their infrastructure is the primary source of security vulnerabilities, it’s actually the application layer that poses the biggest threat.
2) Only 1 in 40 Web Applications has a Web Application Firewall
Web application firewalls (WAFs) inspect all traffic flowing to web applications for common attacks, such as cross-site scripting, SQL injection, and command injection.Despite WAFs being able to detect many of the most common web application vulnerabilities, on average only 1 in 40 applications in a recent study was found to use a web application firewall to protect against common attacks.
3) 71% of Developers Believe Security is Not Addressed During the SDLC
The sooner you catch a vulnerability during the SDLC, the easier (and cheaper) it is to fix.Despite the exponentially growing cost and complexity of fixing application vulnerabilities after deployment, more than two thirds of developers believe that their organisations make no efforts to address security during the development lifecycle.
4) Only 22% of Developers Have Any Role in Testing Application Security
Less than a quarter of software developers have any active role in testing application security during the SDLC.This is because in most organisations, security is a separate department and the development team has very little security knowledge, making it harder to identify and remediate vulnerabilities, and prevent them from making it into the finished product.
5) 47% of Developers Have No Mandate to Fix Vulnerable Code
Even worse: once a vulnerability is detected, almost half of developers lack the authority to fix them. Instead it is normally passed over to the security team, making the remediation process longer and allowing more time for the vulnerability to be exploited.If security isn’t prioritised during the SDLC and developers aren’t involved in security testing for their applications, they will make the same mistakes over and over, and without mandate to remediate these vulnerabilities, this can cause significant friction between your development and security teams.
6) 89% of Application Vulnerabilities Are in the Software Code
This is compared with only 11% that are caused by application misconfigurations. This highlights the importance of educating your development team in secure coding best practices, to guard against the most common application vulnerabilities such as those listed in the OWASP Top 10.By teaching your developers defensive coding, your organisation can reduce vulnerabilities at the source, reducing the number of mistakes and loopholes that make it into the finished code.Sources1 2 3 4 5Discover how to roll-out your own effective application security training program, and download our whitepaper below.