2015 State of Application Security: Closing the Gap

The 2015 SANS State of Application Security Analyst Paper and webcasts are complete. This year, Jim Bird, the lead author of the SANS Application Security Survey series, Frank Kim, and I all participated in writing the questions, analyzing the results, drafting the paper, and preparing the webcast material.

In the 2015 survey, we split the survey into two different tracks: defenders and builders. The first track focused on the challenges facing the defenders who are responsible for risk management, vulnerability assessment, and monitoring. The second track focused on the challenges facing the builders responsible for application development, peer reviews, and production support.

Overall, we had 435 respondents, 65% representing the defenders and 35% representing the builders. Based on the results, the communication barriers between defenders and builders are shrinking. But, there is still work that needs to be done:

• Defenders and builders are focused on where the greatest security risks are today: 79% web applications, 62% mobile applications, and 53% private cloud applications.
• Managers are becoming more aware of how important - and how hard - it is to write secure software. Today, application security experts are reaching out to builders and speaking at their conferences. As a result, builders are more aware of risks inherent in the same applications that defenders are concerned with.
• Management needs to walk the talk and provide developers with the time, tools and training to do a proper job of building secure systems.

For more analysis, the webcasts and analyst paper can be found below:

2015 State of Application Security Analyst Paper: Closing the Gap

Webcast Part 1: Defender Issues

Webcast Part 2: Builder Issues

Thank you to all of the sponsors for bringing this content to the SANS community: HP, Qualys, Veracode, Waratek, and WhiteHat Security.

Also, a special thank you goes out to our webcast panel: Will Bechtel (Qualys), Robert Hanson (WhiteHat Security), Bruce Jenkins (HP Fortify), Maria Loughlin (Veracode), and Brian Maccaba (Waratek).

Happy reading!

About the Author Eric Johnson is a Senior Security Consultant at Cypress Data Defense, Application Security Curriculum Product Manager at SANS, and a certified SANS instructor. He is the lead author and instructor for DEV544 Secure Coding in .NET, as well as an instructor for DEV541 Secure Coding in Java/JEE. Eric serves on the advisory board for the SANS Securing the Human Developer awareness training program and is a contributing author for the developer security awareness modules. Eric's previous experience includes web and mobile application penetration testing, secure code review, risk assessment, static source code analysis, security research, and developing security tools. He completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.