Our Managing Application Security Report Benchmarks Application Security Practices

For Financial Institutions and Other Organizations

Security Compass is excited to release its first Managing Application Security Report, which offers a benchmark for application security practices in a variety of organizations.

The information was gathered from extensive interviews with CISOs at leading financial institutions, with a mind to providing useful insights for organizations in all industries on common application security practices, key business drivers, and technology trends driving the sector.

The report’s findings show that while the majority of financial institutions, 75%, view application security as a high or critical priority, only half require third-party security vendors to have a formal policy or program in place. Even more alarming, 74% of potential vulnerabilities are either undetected or unfixed.

Agile development, a move toward third-party and cloud-based software, along with increased global regulatory scrutiny is putting new pressures on security teams within financial institutions and other organizations. Overwhelmed by the enormity of securing entire software portfolios, while meeting regulatory compliance and keeping customer satisfaction high, many organizations struggle to initiate, structure and scale application security programs.

Download the full report here.

Key findings include:

• Nearly 70 percent of application security teams are composed of a central group of application security experts, with champions in individual teams or business units.
• Almost all respondents have secure coding standards and guidelines, but most could not validate how widely the standards were being followed.
• Only eight percent track the amount of money spent on vulnerability remediation.
• Dynamic analysis (DAST) and static analysis (SAST) tools place 4th and 6th on the list of the most broadly performed security activities out of 16 security activities surveyed. That said, these same tools leave nearly half (46%) of application-level risks undetected.
• More than half of respondents procure at least 50 percent of their software from third-party vendors, with 17 percent primarily rely on outside software.
• However, less than 50 percent require third-party vendors to have an application security policy.
• Only eight percent provide detailed application security requirements as part of third-party software vendor contracts.

“Like the annual Verizon Data Breach Investigations Report (DBIR), we want financial institutions, and companies in all industries, to leverage this report to enhance their business cases, create sound application security programs, and push their agendas forward,” said Rohit Sethi, Chief Operating Officer at Security Compass. “As the results of this survey indicate, simply selecting best practices from a secure software development lifecycle (SDLC) framework may not result in an ability to execute. Organizations should select security activities that meet their risk reduction and scalability goals and identify a trusted partner to help deploy an effective and budget friendly AppSec program complete with training, expert consulting and automation.”

Survey Methodology

This survey was conducted in-person, by phone and video conference from July-December 2016. Survey respondents consisted of security and risk personnel from 28 of the largest banks, insurance companies, payment companies, and investment firms by market capitalization in the United States and Canada. For complete survey methodology, see page 66 of Managing Application Security: Insights from Financial Institutions.