The researchers Jim Bird and Frank Kim stated the goals were to discover:
- How widespread and mature application security programs are
- Their effectiveness
- What tools and practices are being utilised through the development lifecycle and which are most useful
- How training is being undertaken and its effectiveness
- How much is being spent on application security, where and whether this is aligned with organisational risk
- What are the organisations' future plans for application security
488 respondents provided the data summarised in the report, with a quarter of these working in very large enterprises of more than 15,000 people and 39% from organisations with 1,000 or less people. 30% of respondents had development teams with less than 25 staff, and 6% had no developers at all, with all software development being outsourced.
The published report can be downloaded free of charge at SANS Survey on Application Security Programs and Practices.
The survey found that although organisations are investing more in application security, it is not particularly effective, and that root causes are not being addressed and instead there is still a reliance on mitigating software vulnerabilities after deployment. I recommend reading the findings and conclusions in full.
There was another document referenced in the report which I was not aware of. The US-based Financial Services Information Sharing and Analysis Centre has published a useful white paper titled Appropriate Software Security Control Types for Third Party Service and Product Providers to improve software security control practices.
Posted on: 25 February 2014 at 07:15 hrs