start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
start portlet menu bar end portlet menu bar
Close
Select Page
Secure DevOps
  | October 20, 2020

Ponemon Institute and HCL AppScan Reveal State of Application Security in DevOps Environments

Larry Ponemon
Larry Ponemon
Chairman and Founder of the Ponemon Institute
Ponemon Institute and HCL AppScan Reveal State of Application Security in DevOps Environments

Introduction

The goal of Ponemon Institute’s Application Security in the DevOps Environment study, sponsored by HCLSoftware, was to better understand organizations’ ability to quickly detect,  prioritize and repair vulnerabilities in their applications.

As such, Ponemon Institute surveyed 626 individuals who work in IT security, quality assurance or development roles. In addition, all of the survey respondents’ organizations utilize a DevOps approach that includes application security testing.

The goal of this blog is to recap our study’s key findings. For a complimentary copy of our comprehensive report, please click here.

Showcase Findings

Although the report is full of compelling findings about Application Security protection and DevOps usage, these findings proved to be the most compelling:

  • Attacks against vulnerable applications are costlier that we might expect. In the past 12 months, organizations represented in the research incurred an average total economic loss of $12 million as a result of attacks against their vulnerable applications.
  • Some of the surveyed organizations in our research incurred astonishing total economic losses that exceeded $100 million as a result of attacks against their vulnerable applications. To put the $100 million figure into perspective, it is also represents the average total IT budget for organizations who responded to the study.
  • It can take nearly 8 months on average for an organization to identify an attack on its vulnerable applications and 6 months to recover from the attack.
  • On average, 67% of business-critical applications are not continuously tested for vulnerabilities.
  • 74% of respondents stated that many applications were delayed in their development cycles, due to code that needed to be evaluated for security concerns, which impacted the organizations’ release deadlines.
  • 71% of respondents stated that lack of visibility and consistency in their DevOps security practices ultimately put customer and employee data at risk.

Positive Trends

The study also shed light on several positive trends in Application Security and DevOps:

  • Organizations are making significant investments in application security and DevOps. Of the average $100 million IT budget for the study’s respondents, nearly $25 million was allocated to application security activities and another $20 million was allocated to DevOps activities.
  • Primary drivers for organizations’ security budgeting and investment decisions included the following: Reducing risk (65% of respondents); Meeting compliance/regulatory mandates (53% of respondents) and generating Return on Investment (ROI) (51% of respondents).
  • When organizations perform application security testing, they utilize a variety of different testing methodologies, including DAST, SAST, IAST, SCA and Penetration Testing.
  • In an especially promising sign, 49% of respondents say that their organizations empower developers to identify vulnerabilities within the coding process and 47% of respondents say their organizations ensure training on how to secure the coding process.
  • 52% of respondents reported that automating vulnerability scanning at every stage of their Software Development Lifecycle (SDLC) was important to their organization, and 56% of respondents stated that fixing vulnerabilities quickly using automated tools was important.

Areas of Improvement

Finally, the study revealed several areas in which AppSec and DevOps professionals be more effective, and where additional progress clearly needs to be made:

  • Not a single organization stated that it could prevent more than 50% of attacks against already deployed vulnerable applications, and 45% of respondents stated that their organizations could prevent fewer than 15% of such attacks.
  • When an attack occurs against their vulnerable applications, organizations reported that they can detect and contain only 40% of those attacks on average.
  • Nearly half of organizations test their applications on a quarterly basis or longer, with 6% of respondents stating their organizations test applications on a yearly basis. 25% of respondents said that their organizations had no planned testing cycles.
  • For study respondents, staffing shortages represented the primary barrier to preventing attacks against vulnerable applications (63% of respondents). And, alert fatigue continued to be a significant concern, with 40% of respondents reporting that their appsec findings generated too much noise for them to be managed effectively.
  • Only 38% of organizations report that they are able to fix vulnerabilities as early as possible.

Learn More

We also encourage you to listen to our webinar, where Eitan Worcel and I analyze the study’s results in greater detail.

Comment wrap
Larry Ponemon
Larry Ponemon
Chairman and Founder of the Ponemon Institute
Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute and is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws. He is a member of Shared Assessments’ Advisory Board. Dr. Ponemon earned his Ph.D. at Union College. He has a Master’s degree from Harvard University and attended the doctoral program in system sciences at Carnegie Mellon University. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona. He is a Certified Public Accountant and a Certified Information Privacy Professional.
Read more

Topics in this article:

Alert FatigueApplication Security TestingAppSecDASTDevOpsHCL CodesweepIASTLarry PonemonPonemon InstituteSASTSCA

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


appscan
Secure DevOps | May 14, 2024
HCL AppScan 360º: Unlocking Scalability and Efficiency
HCL AppScan 360º gets a major upgrade! Kubernetes-powered architecture brings easier scaling, simplified management and stronger security. Learn more!
Uffe Sorensen
Eitan Oberman
Senior Product Manager
appscan
Secure DevOps | February 12, 2024
Mobile Application Security Testing Continues Upward Trajectory
Cybersecurity threats on the rise? Secure your mobile apps with HCL AppScan. Top-tier solutions for developers in a $3.2B market. Learn more from the Forrester Wave™ report (Q3, 2023).
Uffe Sorensen
Nabeel Jaitapker
Product Marketing Lead, HCLSoftware
appscan
Secure DevOps | December 20, 2023
Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
Uffe Sorensen
Itay Levin
Design Lead for HCL AppScan
start portlet menu bar end portlet menu bar