start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
  • Contact us
    • start portlet menu bar end portlet menu bar
    Close
    Select Page
      | October 20, 2020

    Ponemon Institute and HCL AppScan Reveal State of Application Security in DevOps Environments

    Larry Ponemon
    Larry Ponemon
    Chairman and Founder of the Ponemon Institute
    Ponemon Institute and HCL AppScan Reveal State of Application Security in DevOps Environments

    Introduction

    The goal of Ponemon Institute’s Application Security in the DevOps Environment study, sponsored by HCLSoftware, was to better understand organizations’ ability to quickly detect,  prioritize and repair vulnerabilities in their applications.

    As such, Ponemon Institute surveyed 626 individuals who work in IT security, quality assurance or development roles. In addition, all of the survey respondents’ organizations utilize a DevOps approach that includes application security testing.

    The goal of this blog is to recap our study’s key findings. For a complimentary copy of our comprehensive report, please click here.

    Showcase Findings

    Although the report is full of compelling findings about Application Security protection and DevOps usage, these findings proved to be the most compelling:

    • Attacks against vulnerable applications are costlier that we might expect. In the past 12 months, organizations represented in the research incurred an average total economic loss of $12 million as a result of attacks against their vulnerable applications.
    • Some of the surveyed organizations in our research incurred astonishing total economic losses that exceeded $100 million as a result of attacks against their vulnerable applications. To put the $100 million figure into perspective, it is also represents the average total IT budget for organizations who responded to the study.
    • It can take nearly 8 months on average for an organization to identify an attack on its vulnerable applications and 6 months to recover from the attack.
    • On average, 67% of business-critical applications are not continuously tested for vulnerabilities.
    • 74% of respondents stated that many applications were delayed in their development cycles, due to code that needed to be evaluated for security concerns, which impacted the organizations’ release deadlines.
    • 71% of respondents stated that lack of visibility and consistency in their DevOps security practices ultimately put customer and employee data at risk.

    Positive Trends

    The study also shed light on several positive trends in Application Security and DevOps:

    • Organizations are making significant investments in application security and DevOps. Of the average $100 million IT budget for the study’s respondents, nearly $25 million was allocated to application security activities and another $20 million was allocated to DevOps activities.
    • Primary drivers for organizations’ security budgeting and investment decisions included the following: Reducing risk (65% of respondents); Meeting compliance/regulatory mandates (53% of respondents) and generating Return on Investment (ROI) (51% of respondents).
    • When organizations perform application security testing, they utilize a variety of different testing methodologies, including DAST, SAST, IAST, SCA and Penetration Testing.
    • In an especially promising sign, 49% of respondents say that their organizations empower developers to identify vulnerabilities within the coding process and 47% of respondents say their organizations ensure training on how to secure the coding process.
    • 52% of respondents reported that automating vulnerability scanning at every stage of their Software Development Lifecycle (SDLC) was important to their organization, and 56% of respondents stated that fixing vulnerabilities quickly using automated tools was important.

    Areas of Improvement

    Finally, the study revealed several areas in which AppSec and DevOps professionals be more effective, and where additional progress clearly needs to be made:

    • Not a single organization stated that it could prevent more than 50% of attacks against already deployed vulnerable applications, and 45% of respondents stated that their organizations could prevent fewer than 15% of such attacks.
    • When an attack occurs against their vulnerable applications, organizations reported that they can detect and contain only 40% of those attacks on average.
    • Nearly half of organizations test their applications on a quarterly basis or longer, with 6% of respondents stating their organizations test applications on a yearly basis. 25% of respondents said that their organizations had no planned testing cycles.
    • For study respondents, staffing shortages represented the primary barrier to preventing attacks against vulnerable applications (63% of respondents). And, alert fatigue continued to be a significant concern, with 40% of respondents reporting that their appsec findings generated too much noise for them to be managed effectively.
    • Only 38% of organizations report that they are able to fix vulnerabilities as early as possible.

    Learn More

    We also encourage you to listen to our webinar, where Eitan Worcel and I analyze the study’s results in greater detail.

    Comment wrap
    Larry Ponemon
    Larry Ponemon
    Chairman and Founder of the Ponemon Institute
    Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute and is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws. He is a member of Shared Assessments’ Advisory Board. Dr. Ponemon earned his Ph.D. at Union College. He has a Master’s degree from Harvard University and attended the doctoral program in system sciences at Carnegie Mellon University. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona. He is a Certified Public Accountant and a Certified Information Privacy Professional.
    Read more

    Topics in this article:

    Alert FatigueApplication Security TestingAppSecDASTDevOpsHCL CodesweepIASTLarry PonemonPonemon InstituteSASTSCA

    Start a Conversation with Us

    We’re here to help you find the right solutions and support you in achieving your business goals.

    Connect with us

    Submit a Comment

    Your email address will not be published. Required fields are marked *

    * HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


    appscan
      |  November 27, 2024
    The Hidden Cost of Security Fixes for Software Developers
    Developers spend up to 19% of their time on security tasks, costing companies $28K per developer annually. Learn how to reduce this burden and improve your application security posture with HCL AppScan.
    Uffe Sorensen
    Adam Cave
    Product Marketing Manager, HCL AppScan
    appscan
      |  October 29, 2024
    HCL AppScan 360º v1.4.0: Redefining AppSec with Powerful New Features
    Explore HCL AppScan 360º v1.4.0 with VM installation, GitHub integration, GenAI AutoFix, and enhanced DAST/SAST features for seamless security management.
    Uffe Sorensen
    Adam Cave
    Product Marketing Manager, HCL AppScan
    appscan
      |  October 28, 2024
    DAST and SCA Capabilities: Latest Updates in HCL AppScan on Cloud
    Discover the latest DAST, SCA, and integration updates in HCL AppScan on Cloud, enhancing application security and streamlining development workflows.
    Uffe Sorensen
    Adam Cave
    Product Marketing Manager, HCL AppScan
    start portlet menu bar end portlet menu bar