This document summarizes the results of a survey about application security. It finds that 51% of respondents had experienced at least one web application security incident since 2011, with 18% reporting losses of at least $500,000. While many organizations employ security measures, few take a holistic strategic approach. There is also often a disconnect between development and security teams. To improve, companies need to integrate security into development from the start and better align development and security goals.
With malware attacks growing more sophisticated, swift, and dangerous by the day — and billions of dollars spent to combat them — surprisingly few organizations have a grip on the problem. Only 20 percent of security professionals surveyed by Information Security Media Group (ISMG) rated their incident response program “very effective.” Nearly two-thirds struggle to detect APTs, limiting their ability to defend today’s most pernicious threats. In addition, more than 60 percent struggle with the speed of detection, and more than 40 percent struggle with the accuracy of detection. Those shortcomings give attackers more time to steal data and embed their malware deeper into targeted systems. For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
Protecting enterprise systems against cyber threats is a strategic priority, yet only 42% of executives are confident they could recover without impacting their business from a cyber event. Find out the hidden risks of shadow IT, cloud and cyber insurance.
With malware attacks growing more sophisticated, swift, and dangerous by the day — and billions of dollars spent to combat them — surprisingly few organizations have a grip on the problem. Only 20 percent of security professionals surveyed by Information Security Media Group (ISMG) rated their incident response program “very effective.” Nearly two-thirds struggle to detect APTs, limiting their ability to defend today’s most pernicious threats. In addition, more than 60 percent struggle with the speed of detection, and more than 40 percent struggle with the accuracy of detection. Those shortcomings give attackers more time to steal data and embed their malware deeper into targeted systems. For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
Protecting enterprise systems against cyber threats is a strategic priority, yet only 42% of executives are confident they could recover without impacting their business from a cyber event. Find out the hidden risks of shadow IT, cloud and cyber insurance.
Malware infections or exploited vulnerabilities could significantly impact the safety of customer information so that, before your business has time to react, your public-facing website could be infected and blacklisted by search
engines, customer trust could be compromised whilst
the clean-up in the aftermath of an attack could wreak
havoc with your brand. With increasingly smart malware infections and consequent online data loss, your business must do more than simply react to website security issues.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
State of Web Application Security by Ponemon InstituteJeremiah Grossman
Ponemon Institute conducted this study to better understand the risk of insecure websites and how organizations’ are addressing internal and external threats.1 Sponsored by Imperva and WhiteHat Security, the study reveals that despite having mission-critical applications accessible via their websites, many organizations are failing to provide sufficient resources to secure and protect Web applications important to their operations. This is particularly alarming given that the Web application layer is the number one attack target of hackers.2
We surveyed 638 IT and IT security practitioners with approximately 13 years IT experience in large US-based organizations with an average headcount of about 10,000. They most often are in network, data and application security, including quality assurance for development and testing. More than half are involved in setting priorities, managing budgets and selecting vendors and contractors.
While participants in this study consider the biggest threat to their websites is theft of data, they do not believe that their organizations are viewing Web security as a strategic initiative. They also believe their organizations are not allocating sufficient resources to protecting critical Web applications. Further, the IT practitioners surveyed are divided on whether the Web application security program is threat-based (41 percent) or compliance-based (40 percent).
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
Cloud computing and bring-your-own-device (BYOD) workplace policies are expanding the endpoints in IT infrastructures — and more complexity when it comes to investigating cyber attacks. The SANS 2013 Report on Digital Forensics and Incident Response Survey reveals some of the major difficulties that security professionals face in this new environment and how to better prepare for future investigations. Collecting responses from more than 450 security professionals across a range of industries and company sizes, the survey found that nearly 90 percent of respondents had conducted at least one forensics investigation within the last two years. But just 54 percent called their digital forensics capabilities “reasonably effective.” For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.
Brasília, 04 de agosto de 2010
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
Executive Summary of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016/
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec
Symantec's 2011 Internet Security Threat Report, Volume 17 shows that while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats.
Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009, qui è presentato un sommario dello Studio.
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011Lumension
The State of Endpoint Risk 2011 study, conducted by the Ponemon Institute, has been published. Learn the latest endpoint protection best practices that can assist in your 2011 security planning, including:
• Increasingly sophisticated malware and the associated costs
• The top 5 applications that concern IT the most
• Third-party and Web 2.0 application usage policies and the importance of security awareness training programs
• Effective methods to communicate with senior management on evolving endpoint risk and its impact to the business
• Technologies that effectively prevent targeted malware and cyber attacks
In today’s interconnected world, few things terrify CEOs and CTOs more than electronic security (well, a breach of that security, anyway). Most of our records, personal information, corporate information, and sensitive data exist online or on Internet-connected hardware. Mobile, with all it’s advantages for enterprises, actually poses one of the largest emerging threats to those enterprises’ data security. As such, we wanted to share some statistics that demonstrate the severity of the problem and highlight the importance of mobile security for your business.
Cloud Security: Risks and Recommendations for New Entrantsirvinchoo
Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it.
EHR meaningful use security risk assessment sample documentdata brackets
Under the HIPAA Privacy and Security Rule, business associates are required to perform active risk prevention and safeguarding of patient information that are very important to patient privacy. The HITECH act allows only minimum necessary to be disclosed when handling protected health information (PHI).
This security risk assessment exercise has been performed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and other applicable state data privacy laws and regulations. Upon completion of this risk assessment, a detail risk management plan need to be developed based on the gaps identified from the risk analysis. The gaps identified and recommendations provided are based on the input provided by the staff, budget, scope and other practical considerations
A polemic on the issues and challenges confronting us in the domains of "security" and risk management, as system architectures move to include the Cloud.
Keep an eye on the speaker Notes for each slide -- there's stuff in there.
Malware infections or exploited vulnerabilities could significantly impact the safety of customer information so that, before your business has time to react, your public-facing website could be infected and blacklisted by search
engines, customer trust could be compromised whilst
the clean-up in the aftermath of an attack could wreak
havoc with your brand. With increasingly smart malware infections and consequent online data loss, your business must do more than simply react to website security issues.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
State of Web Application Security by Ponemon InstituteJeremiah Grossman
Ponemon Institute conducted this study to better understand the risk of insecure websites and how organizations’ are addressing internal and external threats.1 Sponsored by Imperva and WhiteHat Security, the study reveals that despite having mission-critical applications accessible via their websites, many organizations are failing to provide sufficient resources to secure and protect Web applications important to their operations. This is particularly alarming given that the Web application layer is the number one attack target of hackers.2
We surveyed 638 IT and IT security practitioners with approximately 13 years IT experience in large US-based organizations with an average headcount of about 10,000. They most often are in network, data and application security, including quality assurance for development and testing. More than half are involved in setting priorities, managing budgets and selecting vendors and contractors.
While participants in this study consider the biggest threat to their websites is theft of data, they do not believe that their organizations are viewing Web security as a strategic initiative. They also believe their organizations are not allocating sufficient resources to protecting critical Web applications. Further, the IT practitioners surveyed are divided on whether the Web application security program is threat-based (41 percent) or compliance-based (40 percent).
In a survey of U.S. technology and healthcare executives nationwide, Silicon Valley Bank found that companies believe cyber attacks are a serious threat to both their data and their business continuity.
Highlights
- 98% are maintaining or increasing resources devoted to cyber security
- 50% are increasing their cyber security resources, preparing for when, not if, cyber attacks occur
- Just 35% are completely or very confident in the security of their company information, and only 16% feel the same about their business partners
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
Cloud computing and bring-your-own-device (BYOD) workplace policies are expanding the endpoints in IT infrastructures — and more complexity when it comes to investigating cyber attacks. The SANS 2013 Report on Digital Forensics and Incident Response Survey reveals some of the major difficulties that security professionals face in this new environment and how to better prepare for future investigations. Collecting responses from more than 450 security professionals across a range of industries and company sizes, the survey found that nearly 90 percent of respondents had conducted at least one forensics investigation within the last two years. But just 54 percent called their digital forensics capabilities “reasonably effective.” For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.
Brasília, 04 de agosto de 2010
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
Executive Summary of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016/
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec
Symantec's 2011 Internet Security Threat Report, Volume 17 shows that while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats.
Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009, qui è presentato un sommario dello Studio.
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011Lumension
The State of Endpoint Risk 2011 study, conducted by the Ponemon Institute, has been published. Learn the latest endpoint protection best practices that can assist in your 2011 security planning, including:
• Increasingly sophisticated malware and the associated costs
• The top 5 applications that concern IT the most
• Third-party and Web 2.0 application usage policies and the importance of security awareness training programs
• Effective methods to communicate with senior management on evolving endpoint risk and its impact to the business
• Technologies that effectively prevent targeted malware and cyber attacks
In today’s interconnected world, few things terrify CEOs and CTOs more than electronic security (well, a breach of that security, anyway). Most of our records, personal information, corporate information, and sensitive data exist online or on Internet-connected hardware. Mobile, with all it’s advantages for enterprises, actually poses one of the largest emerging threats to those enterprises’ data security. As such, we wanted to share some statistics that demonstrate the severity of the problem and highlight the importance of mobile security for your business.
Cloud Security: Risks and Recommendations for New Entrantsirvinchoo
Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it.
EHR meaningful use security risk assessment sample documentdata brackets
Under the HIPAA Privacy and Security Rule, business associates are required to perform active risk prevention and safeguarding of patient information that are very important to patient privacy. The HITECH act allows only minimum necessary to be disclosed when handling protected health information (PHI).
This security risk assessment exercise has been performed to support the requirements of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and other applicable state data privacy laws and regulations. Upon completion of this risk assessment, a detail risk management plan need to be developed based on the gaps identified from the risk analysis. The gaps identified and recommendations provided are based on the input provided by the staff, budget, scope and other practical considerations
A polemic on the issues and challenges confronting us in the domains of "security" and risk management, as system architectures move to include the Cloud.
Keep an eye on the speaker Notes for each slide -- there's stuff in there.
2016 Scalar Security Study Executive Summarypatmisasi
Executive Summary of the 2016 Scalar Security Study. The study examines the cyber security readiness of Canadian organizations and the trends in dealing with growing cyber threats.
We surveyed 650+ IT and IT security practitioners in Canada , and found that organizations are experiencing an average of 40 cyber attacks per year and only 37% of organizations believe they are winning the cyber security war. We looked at average spend, cost of attacks, and technologies that are yielding the highest ROI. We also provide recommendations on how you can benchmark your own security posture and what you can do to improve.
It's Time to Rethink Your Endpoint StrategyLumension
Today's IT network is more distributed and virtual than ever with the increased use of remote endpoints and cloud-based applications. And increasingly sophisticated malware is targeting the information stored on and accessed by these endpoints and applications. The security status quo has left organizations managing a multitude of products – and has not reduced the IT risk. This series examines the evolving threat landscape, why current defenses are decreasing in effectiveness and what key strategies you can implement to shift from the status quo and improve security from zero-day and targeted attacks, while also simplifying and reducing the costs of managing the endpoint environment.
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...Invincea, Inc.
The single largest threat your organization faces today is network breach. Spear-phishing, poisoned search results, drive-by downloads, and legitimate sites being compromised to push malware are all part of our current reality. The most successful and common attacks vectors stem from targeted attacks on your employees. Organizations need to utilize solutions that protect their network from user error and support requirements for continuous monitoring, real-time situational awareness and providing actionable threat intelligence for their security teams.
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...Symantec
Many law firms would suffer greatly from being breached due
to the extreme sensitive data they are handling on a daily basis.
Any cyber attack in this sector can be catastrophic so do lawyers
feel ready to stand against the rising tide of cybercrime?
With this in mind, Symantec, in conjunction with the law
publication Managing Partner, conducted a study into how law firms see cyber security.
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearBob Wall
Presentation at the 2016 Big Sky Developers' Conference.
Overview of the dismal state of security on the Web, some suggestions for better app development processes to mitigate problems.
According to the HP sponsored1 2014 Executive Breach Preparedness Research Report, more than 70 percent of executives think that their organization only partially understands the information risks they’re exposed to as a result of a breach. To add to that, less than half of c-suite and board-level executives are kept informed about the breach response process.
This report also found that business leadership knows that their involvement in data breach incident response is important – but they don’t believe, generally, that they are actually accountable for data breaches. In fact, only 45% stated that they think they are accountable for data breaches in their organization.
Read the full report for more insights.
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...Amazon Web Services
Storytelling is a powerful tool for cybersecurity leaders aiming to improve communication with IT and non-IT stakeholders alike; the most trusted advisors are effective storytellers. With the right data—like the recently released 2019 Verizon Data Breach Investigations Report—CISOs and their teams can tell meaningful and relevant stories that help organizations strengthen their security cultures and empower executives to make better decisions about resource allocation and risk tolerance.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
JMeter webinar - integration with InfluxDB and Grafana
The software-security-risk-report
1. A Forrester Consulting Thought Leadership Paper Commissioned By Coverity
The Software Security Risk Report
The Road To Application Security Begins In Development
September 2012
3. Forrester Consulting
The Software Security Risk Report
Executive Summary
In July 2012, Coverity commissioned Forrester Consulting to conduct a survey study of 240 North American and
European software development and software security influencers. The purpose of the study is to understand the
current application security practices and identify key trends and market directions across industries.
Web applications, because of their external-facing nature, are some of the primary avenues for security attacks and data
breaches. Breaches of customer data is can be detrimental to or costly for the company, but a breach of sensitive
confidential corporate information or intellectual property can have devastating consequences. When that happens, it is
no longer merely an exercise in cleanup, remediation, and public relations, but a potential blow to a firm’s long-term
competitiveness in the market.1 Because of these reasons, building secure web
51% of respondents have had
applications resistant to attack is critical to a company’s IT posture and the at least one web application
goal of protecting critical data and corporate information. security incident since the
beginning of 2011.
Approximately half of the organizations we surveyed have experienced at 18% of those respondents
least one web application security incident since the beginning of 2011 — experienced losses of at least
$500,000.
many of which resulted in severe negative financial consequences. Eighteen
percent reported that the breaches cost their organization $500,000 or more.
We also found that, when it comes to application security, most organizations employ tactical measures and point
technologies. Few attempt to implement a holistic, prescriptive application security methodology. This is primarily due
to time-to-market pressures, disconnects between developers and security professionals, and the lack of effective
application security incentives. Seventy percent of our survey respondents do not measure developers with security-
related metrics, and 57% do not send security requirements downstream to guide quality and security testing.
Looking forward, as companies grapple with a more sophisticated and menacing threat landscape, growing sets of
regulations and third-party requirements, and an unprecedented level of IT upheaval, they will have no choice but to
improve their application security posture. If developers do not integrate security and privacy into their development
practices from the earliest stages, addressing it later will not only be more expensive, but could be completely
ineffective. In this case, companies may find that more things than just their applications are at risk.
Key Findings
In summary, Forrester’s study yielded these key findings:
• Application security incidents are common and have severe consequences.
• Many organizations still struggle with the most basic security flaws.
• Most organizations do not have a holistic or strategic approach to application security.
• Application development and security teams and goals are often not aligned for optimized results.
Page 2
4. Forrester Consulting
The Software Security Risk Report
Application Security Incidents Are Common And Consequences Are Severe
To understand the current state of application security, we began by asking survey respondents whether their
organization had experienced any security incidents due to application-level vulnerabilities since the beginning of 2011.
(Respondents to our study included 240 North American and European software development influencers from
companies that conduct web application development.) We found that:
• Web application security incidents have become far too common. Fifty-one percent of respondents reported
having at least one such incident (see Figure 1). It’s worth noting that within this group, 13% reported that they
experienced five or more incidents. Forrester suspects that many of those who reported that they have had no
breaches may have indeed suffered a breach — they just don’t know it. Today’s cybercriminals target their attacks
and do everything in their power to conceal their activity — it’s not unusual for an attack to go undetected for an
extended period of time. These statistics should be a wakeup call to the entire industry: if 51% or more of
randomly surveyed organizations have experienced at least one web app security incident in less than 24 months,
it’s clear that application security is in a dismal state.
Figure 1
Frequency Of And Financial Losses From Web Security Incidents
“Since the beginning of 2011, how many times has your “Approximately how much have the breaches your
organization experienced a web application security organization has encountered since the beginning of
breach or a security incident that was due to the 2011 cost your organization?”*
exploitation of application-level vulnerabilities?”
More than $10 million 1% 18% suffered losses of
at least $500,000.
Don’t know,
13% $5 million to $10 million 1% 28% don’t know the
More than 10, cost of their breaches.
4%
Zero, 36% $1 million to $5 million 6%
$500,000 to $1 million 10%
51% had at least
$100,000 to $500,000 24%
one security incident
attributable to the
exploitation of web Less than $100,000 29%
One to 10, application
47% vulnerabilities.
Don’t know 28%
Base: 240 North American and European development and information security managers
*Base: 153 North American and European development and information security managers who have experienced a breach
(percentages may not total 100 because of rounding)
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
• The direct financial consequences of a web app security incident can be severe. When asked about financial
consequences of these incidents, 18% reported experiencing losses of more than $500,000; nearly half of those
saw losses greater than $1 million. Two respondents said that their losses exceeded $10 million. It’s worthwhile to
note that 28% of respondents who reported having suffered a breach don’t know the direct financial cost of those
Page 3
5. Forrester Consulting
The Software Security Risk Report
breaches. This reflects the fact that many organizations have not developed a good cost model to help track
forensics, remediation, and incident response. If development and security leaders expect to increase funding for
application security, they will need to address this — to secure funding, you must understand the probability and
the potential cost of specific risks to your organization to determine the appropriate level of expenditure for
preventative measures.
• Web app security incidents affect the organization and the individual. We also asked respondents to rate the
overall impact of web application security incidents. Surprisingly, they ranked “damage to professional reputation
or job” as the top impact — even ahead of damage to brand image, customer data loss, or loss of customer
confidence (see Figure 2). Fifty-nine percent of respondents said that breaches had some negative impact on their
professional reputation, while only 56% and 52% said that breaches negatively affected customer confidence and
damage to brand, respectively. This is an interesting result, indicating that a significant percentage of application
development and security professionals view security breaches in a somewhat personal light — that breaches
reflect negatively on their professional reputation. And a notable percentage of respondents simply said that they
don’t know what impact breaches have. To address this, organizations must develop better breach cost models
that span damage to corporate image, customer confidence, and financial loss.
Figure 2
The Overall Impact Of Web Application Security Breaches
“Please indicate how much of an impact all of the breaches your organization has encountered
since the beginning of 2011 have had on each of the following.”
100%
5% 3% 3%
90% 5% 1%
80% 7% 5% 9% 8% 10%
70% 12% 8%
16% 14% 11%
Severe impact
60%
25% 20% Significant impact
50% 35% 26%
31%
40% Medium impact
30%
Some impact
20% 41% 43%
35%
29% 30%
10% No impact
0%
Damage to Revenue loss Loss of Damage to Customer
professional or damage to customer brand image data loss
reputation/job the company confidence
bottom line
Base: 153 North American and European development and information security managers who have experienced a breach
(“Don’t know/Does not apply” responses not shown)
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Page 4
6. Forrester Consulting
The Software Security Risk Report
Organizations That Struggle With App Security Maturity Experience More Incidents
In our study, we found that respondents who believed that their application security programs were less mature or had
problems were also more likely to have had security incidents (see Figure 3). Specifically, we found that many
organizations:
• Can’t keep pace with the volume of code they produce. Of the respondents who agreed or strongly agreed that
they haven’t found a scalable way to address security given the volume of code they are producing, 79% had
experienced at least one breach. In a highly competitive global economy, the ability to deliver products, services,
and new engagement models is critical to the success and profitability of businesses. Prolonging the time-to-
market is simply not acceptable for many organizations. As a result, app-dev teams are under intense pressure to
increase their delivery speed. Couple this with the fact that today’s applications are increasingly more complex,
and it is no surprise that organizations can’t scale up their application security practices.
• Struggle to build the business case for additional funding. It’s often difficult to persuade management to invest
in proactive and strategic security measures, because building the business case for investment is challenging.
Investment in application security doesn’t immediately increase top-line revenue or reduce costs. The case for
investment is often about reducing risk and future cost avoidance: If something happens, you can protect top-line
revenues. According to our study, 71% of the respondents that had suffered at least one breach believed that they
did not have enough funding to invest in application security technologies and processes.
• Lack adequate tools. If you don’t have enough funding, you can’t invest in application security tools that are
more advanced, automated, and tightly integrated into existing development tools and platforms. According to
our study, 71% of the respondents that had suffered at least one breach believed that they did not have the right
tools for application security. As we’ll see later in this report, many development organizations rely heavily on
manual code reviews (as opposed to automation) for web application security, and many developers feel that
more advanced security tools require too much security expertise to be effective.
Page 5
7. Forrester Consulting
The Software Security Risk Report
Figure 3
Application Security Maturity And The Frequency Of Security Incidents
“Tell us how strongly you agree and disagree with the state of application security adoption in your
development processes.”
Experienced no incidents/breaches Experienced one or more incident(s)/breach(es)
We haven’t found a scalable way to address application security
21% 79%
with the volume of code that we are generating on an ongoing basis
We don’t have enough funding to invest in application security
28% 72%
technologies or processes
We don’t have the right application security tools and technologies
29% 71%
to use during development
Our management does not provide enough support for application
30% 70%
security initiatives
We don’t have the right accountability and incentive structures to
36% 64%
promote software security with developers
We don’t have enough customer demand for secure code to justify
38% 63%
investing in application security processes and controls
We don’t have enough security skill and expertise to adopt
38% 63%
application security measures pervasively throughout development
We don’t have the appropriate processes to ensure security is
42% 58%
incorporated in the development life cycle
Base: 208 North American and European development and information security managers who are aware of their breach status and responded
“agree” or “strongly agree” to the state of application security adoption in their development processes
(percentages may not total 100 because of rounding)
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Organizations Struggle To Address Basic Security Flaws
We asked respondents to rank which categories of web application vulnerabilities present the biggest risk to their
environments. Default account passwords, SQL injections, and security misconfigurations took the top spots (see
Figure 4). In addition, default passwords and security misconfigurations featured prominently among those who
experienced a high number of security incidents. More specifically, 66% of those who had more than 10 incidents
reported that they had trouble with “default accounts and passwords,” while 55% said security misconfigurations. With
39% of respondents, SQL injection topped the list for those who had five to 10 incidents.
As default passwords and security misconfigurations are typically considered low-hanging-fruit security vulnerabilities,
it is clear that the industry has not yet matured to the degree that companies know how to efficiently detect and deal
with basic security flaws in software implementations.
Page 6
8. Forrester Consulting
The Software Security Risk Report
Figure 4
Web Application Security Flaws
“Which three of the following application security flaws present the greatest risks to web
application security and ultimately to your organization?”
0% 10% 20% 30% 40% 50%
Default account passwords 17% 11% 13%
Security misconfigurations 12% 10% 15%
SQL injections 16% 10% 10% Rank 1
Broken authentication and session management 10% 12% 10% Rank 2
Rank 3
Cross-site scripting 8% 13% 9%
Failure to restrict URL access 12% 10% 8%
Insecure cryptographic storage 9% 7% 8%
Unvalidated redirects and forwards 5% 8% 10%
Insecure direct object references 2% 6% 8%
Insufficient transport-layer protection 3% 7% 5%
Cross-site request forgery (CSRF) 5% 4% 4%
Base: 240 North American and European software development influencers and decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Organizations Must Take A Holistic Approach To Application Security
Organizations that want to improve their application security competency should take a strategic approach to
application security. This means integrating security practices throughout the development life cycle, adopting
industry-recognized methodologies, giving developers incentives to incorporate security and measuring their success,
and tying application security maturity to the company’s overall business objectives. However, for a number of reasons,
including time-to-market pressure, deployment challenges, lack of developer skills, and misalignment between app dev
and security, the life cycle approach is not yet the norm. The result? Too many organizations adopt tactical measures,
mainly for compliance, but fail to elevate the state of their application security to combat increasingly sophisticated
threats.
Top Drivers For Preventive App Security: Compliance And Lower Costs
When we asked our respondents what the top three business drivers for their organization to implement application
security measures during development were, the top answer was “to meet compliance requirements;” 67% ranked
compliance as one of the top three business drivers, followed by the 53% who chose “it is cheaper to fix bugs earlier in
the development life cycle” (see Figure 5). More specifically:
Page 7
9. Forrester Consulting
The Software Security Risk Report
• Compliance continues to drive adoption but is no longer sufficient. It is not surprising that compliance is a big
driver of security adoption: regulations like PCI, SOX, and HIPAA have requirements that call for the use of
application security mechanisms, either specifically or indirectly through the mandate for vulnerability
management. However, just meeting what regulations require is often not sufficient to withstand sophisticated
attacks. The fact that compliance is by far the No. 1 driver is an indication that the industry as a whole does not
treat application security as a strategic and proactive initiative.
• There is little disagreement that it’s cheaper to eliminate security flaws earlier in the development life cycle.
A number of industry studies have provided concrete evidence that it is often cheaper to fix security flaws earlier
in the development life cycle rather than later. Respondents in our study agree; 53% say the top driver to
implement application security measures earlier in the life cycle is because it’s cheaper to fix bugs in the early
stages.
Figure 5
Top-Ranked Business Drivers For Preventive Application Security Adoption
“What are the top three business drivers for your organization to implement
application security earlier in the development life cycle?”
To meet our compliance requirements 57%
We are risk-driven and don’t want to end up as a security
53%
breach headline story
It is cheaper to fix bugs earlier in the development life cycle 46%
The economic impact of security breaches and incidents
42%
justifies the investment
We have a security-aware corporate culture 39%
Customers require us to demonstrate secure development
36%
practices
It’s a competitive differentiator for us 18%
Base: 157 North American and European development and information security managers who indicated that their organizations have the right
processes and controls in place to address web application security during development
(multiple responses accepted)
(Ranks of 1, 2, and 3 combined)
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Top Barriers To Preventive App Security: Time-To-Market, Resistance, And Lack Of Tools
We asked survey respondents what consequences they would be most concerned with if application defects were found
late in the development life cycle. Of all the choices presented, “cost more to fix” was by far the most popular answer:
66% of all respondents indicated that they believe finding defects late in the life cycle may result in higher remediation
costs. However, when asked what the major barriers preventing them from addressing web application security earlier
Page 8
10. Forrester Consulting
The Software Security Risk Report
in the life cycle are, 41% said that time-to-market pressure prevented them from pushing security upstream in
development (see Figure 6). Specifically, we found that:
• There is strong time-to-market pressure. These answers suggest that, even though many understand the peril of
addressing application security late in the life cycle — especially as concerns increased remediation costs — the
pressure to bring new applications to market as quickly as possible often trumps concerns about security or
dampens the will to change the status-quo approach to application security.
• There is resistance to additional development tasks. Development organizations often resist changes to existing
development processes because of the tremendous time-to-market pressure and the disruption these changes
entail. Without adopting application security as an explicit performance metric and providing support for app-
dev to take on additional tasks, it is difficult for development organization to align its goals with application
security initiatives.
• Companies lack tools that integrate with the development environment and workflow. We asked those
respondents (both development and security) who indicated that they had not found suitable application security
tools and technologies to further elaborate on why that was the case. While application development pros and
security pros both indicated that their existing legacy tools had integration issues (either with the development
environment or development workflow) and high false positives, development professionals also called out issues
such as “tools are too complex and require too much security expertise,” “tools do not have enough actionable
guidance to developers,” and “tools take too long to run.”
Figure 6
Top Barriers To Addressing Web Application Security Earlier In The Development Life Cycle
“Which of the following are the major barriers preventing you from addressing web application
security earlier in the life cycle?”
Extremely true, couldn’t agree more True some of the time, but not always
Time-to-market pressure prevents us from adopting
6% 35%
application security measures earlier in the dev life cycle
Our development team resists the added tasks of 41% said time-to-
addressing application security during active 8% 23% market pressures
development prevented them from
adopting application
We haven’t found any suitable application security tools security earlier in the
and technologies that work well with our development 4% 27% development
processes lifecycle.
Base: 240 North American and European software development influencers and decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Organizations Must Adopt More Advanced Measures And Test Earlier In The Life Cycle
Our study found that companies do put a strong emphasis on training and testing in application security (see Figure 7
and Figure 8). However, our study also revealed two issues: 1) developers are not performing testing early enough in the
Page 9
11. Forrester Consulting
The Software Security Risk Report
development life cycle; and 2) there is little in the way of strategic application security measures, such as incorporating
risk-based application security policies. More specifically, Forrester recommends that development organizations:
• Reduce reliance on manual code review with automated code analysis testing. Nearly 63% of the respondents
reported that they use manual code reviews, while only 50% use static code analysis during development. The
percentage was even lower when we asked specifically about web application security: Only 33% used static
analysis during development (see Figure 8). Static analysis technologies inspect application code for potential
security defects and help eliminate code flaws during development. Manual code reviews are useful, but they are
hard to scale. Furthermore, manual code reviews should be conducted by someone other than the developer and
they should focus on the security-sensitive parts of the code: storage and retrieval of secrets, authentication,
authorization, logging, and user input validation.
• Use secure coding guidelines and libraries. Surprisingly, only 42% of respondents follow secure coding
guidelines and only 28% use a library of approved or banned functions. Due to time-to-market pressures,
developers code as quickly as they can and then hope that defects are caught by code reviews and testers.
However, it would be much more proactive to follow a set of guidelines and best practices and much more
efficient to avoid using banned functions right from the start.
• Incorporate architectural analysis and threat modeling. Only 26% of the survey respondents said that they
utilize threat modeling in developing web applications (see Figure 8). Threat modeling and architectural analysis
are an important component of application security strategies, because they help identify security design flaws
that would otherwise evade code-level analysis.
• Work with management to change accountability and incentives for app-dev pros. In order to move from
compliance-mandated tactical approaches to application security to a full life cycle approach, firms need to put in
place an accountability structure and incentive measures that champion the cause of application security.
Examples of accountability measures include evaluating developers with security metrics, establishing common
bug criteria across development and testing, tracking vulnerability remediation performance, and rewarding
collaboration between developers and security professionals.
• Test earlier in the life cycle. Despite the fact that here is little disagreement that it’s cheaper to address issues
earlier in the life cycle, only 17% of respondents said that they test during the development cycle (which we define
as during development and/or unit testing). Additionally, the fact that more than half of the organizations do not
audit their code before integration testing is troubling. That means many security flaws are left unaddressed until
later stages of development, which translates to more hours in post-development bug-chasing and regression
testing — both efforts that could be avoided by strengthening testing efforts earlier in development (see Figure 9).
Page 10
12. Forrester Consulting
The Software Security Risk Report
Figure 7
Adoption Of Application Security Measures
“Does your organization as a whole use any of the following application security measures in the development life cycle?”
Manual code reviews 63%
Security testing by testers (fuzzing, black-box scanning,
62%
penetration testing)
Security testing by developers (fuzzing, black-box scanning) 51%
Static analysis tools and technologies 50%
Secure coding guidelines 42%
A library of approved or banned functions 28%
Manual penetration testing by external resources 28%
Binary code analysis services 16%
Base: 240 North American software development influencers and decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Figure 8
Adoption Of Web Application Security Measures
“Which of the following measures do you employ for ensuring web application security in your organization?”
Developer and/or tester training 67%
Quality or security gate in testing 50%
Prescriptive security incident response plan or operational
40%
security plan for production code
Stringent security tests prior to acceptance of third-party code 37%
Risk- or policy-based security requirements definition 37%
Static analysis 33%
Threat modeling and usage scenario review 26%
Accountability and incentive structures to promote software
26%
security practices
Archive release environments and activities as part of a secure
21%
release process
Don’t know 5%
Other 1%
Base: 240 North American software development influencers and decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Page 11
13. Forrester Consulting
The Software Security Risk Report
Figure 9
Application Security Testing
“If you perform security audits and tests, such as penetration testing and code review, when in the
development life cycle do you perform those audits?”
During quality testing 50%
During functional testing 48%
During integration testing 48%
During development (before unit test) 40%
During developer unit test stage 39%
Just before application release 29%
Don’t know 4%
We don’t perform security audits or tests 2%
Base: 240 North American software development influencers and decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
App Development And Security Must Better Align For Optimized Results
Another thought-provoking fact that our study uncovered is the disparity between how developers and security
professionals view the state of the world. Half of the security respondents said that their development counterparts
resist the task of addressing application security during development. In contrast, only 28% of developers agreed (see
Figure 10). Similarly, 32% of developers said they haven’t found a suitable application security technology that works
well with their development processes, while only 23% of the security respondents agreed with that statement.
These results suggest that security professionals clearly don’t understand the challenges that application development
folks are faced with, such as requiring security expertise to use some of the legacy code analysis tools and the lack of
actionable remediation guidance. If you don’t understand the root cause of a particular behavior — in this case,
developers’ resistance to incorporating security efforts earlier in development — you can’t effect change. Organizations
that can better bridge that divide will have a better chance of succeeding in their application security quest.
Page 12
14. Forrester Consulting
The Software Security Risk Report
Figure 10
Application Development And Security Pros See Challenges Differently
“Which of the following are major barriers preventing you from
addressing web application security earlier in the life cycle?”
(percentage answering “true some or all of the time”)
Development roles (N = 210) Security roles (N = 30)
Our development team resists the added tasks of
28%
addressing application security during active
50%
development
We haven’t found any suitable application security tools
32%
and technologies that work well with our development
23%
processes
Time-to-market pressure prevents us from adopting 42%
application security measures earlier in the dev life cycle 40%
Base: 240 North American software development influencers and decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Security Pros Can’t Expect Developers To Become Security Experts
When asked to describe the level of security awareness and application security proficiency of developers in their
organization, our respondents were somewhat reticent to give high marks: 40% said their developers are comfortable
with certain application security measures, while 32% said that their developers are not really proficient in application
security. Only 24% — barely one in four respondents — believed their developers are extremely security-aware (see
Figure 11). Security professionals who want to improve application security should:
• Recognize that training and testing only go so far. Most developers today have not gone through training on
secure programming, and security-savvy developers are few and far between. This isn’t likely to change anytime
soon; training isn’t going to effect change overnight. In addition, while many organizations rely heavily on
testing, they are not testing early enough in the development process. Given that training and testing are the
primary application security techniques in use today and that more than 50% of organizations have experienced
at least one security incident recently, it’s clear that these techniques by themselves are not enough. Development
organizations need to adopt other measures, such as static analysis, threat modeling, and secure-coding
guidelines to support application security initiatives.
• Work closely with developers to select application security technologies. When we asked respondents why
they hadn’t found any suitable application security tools, some developers (although no security pros) indicated
that tools were too complex, didn’t provide actionable guidance, and didn’t scale. When picking an application
security tool, security pros must be sensitive to the fact that developers are not security experts. They must also
consider the capabilities of the tool and how well it integrates with the development processes and technology
platforms. More specifically, take into account six issues when building a requirements list: 1) language and
platform support; 2) IDE and built-script integration needs; 3) vulnerability coverage; 4) analysis accuracy; 5) risk
scoring; and 6) integration with remediation systems.
Page 13
15. Forrester Consulting
The Software Security Risk Report
• Advocate for a risk-based approach to app security. Most developers want to do the right thing; given enough
time, they would like to produce quality, secure code. The vast majority of developers in our study believe that
they should address every security issue — only 20% think that developers should only address exploitable
security defects (see Figure 11). However, if the organization is pushing you to release revenue-generating and
customer-facing apps as quickly as possible, it’s unrealistic to address every security defect. Take a risk-based
approach: first determine the criticality of the app and the defect and address those that are the most critical. This
is the only efficient and effective way to elevate the application security posture.
Figure 11
Developers Lack Application Security Proficiency
“How would you describe the level of security awareness and application
security proficiency of your developers as a whole?”
Our developers are are comfortable with certain app-sec
measures and are involved in application security practices 40%
on a daily basis
Our developers have some knowledge of application
32%
security but are not really proficient in app-sec practices
Our developers are extremely security-aware; they're no
app-sec experts but are as good as it gets in terms of dev 24%
pros
Our developers are not security-aware at all 3% Only one in four believes that developers at
their company are extremely security-aware.
Base: 240 North American software development influencers and decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Page 14
16. Forrester Consulting
The Software Security Risk Report
Figure 12
Developers Struggle With Today’s Security Tools
“What are the top three issues you encounter when working with web application security tools and technologies?”
Development roles (N = 59) Security roles (N = 15)
The tool doesn’t integrate well with the 19
development environment 7
The workflow of the tool/technology does not
10
integrate well with development workflow
5
processes
11
High false-positive rates
3
Too complex or require too much security 11
expertise to use
Lack of actionable guidance to developers for 5
remediation
3
Tools take too long to run and don't scale
Base: 74 North American and European development and information security managers who have not found suitable application security tools
for development
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Figure 13
Expectations That Developers Will Address All Defects Are Unrealistic
“How much do you agree with the following statements about web application security defects?”
Strongly disagree Disagree Somewhat agree Agree Strongly agree
1%
Developers should address all security defects
8% 14% 34% 41%
during development as a best practice
Security defects should be treated differently from
6% 15% 18% 31% 28%
other classes of defects
Developers should only address exploitable security
defects (i.e., exploitability is one measure of the 15% 39% 25% 13% 7%
criticality of a security flaw)
Base: 240 North American software development influencers and decision-makers
(“Don’t know/does not apply” responses not shown)
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Page 15
17. Forrester Consulting
The Software Security Risk Report
KEY RECOMMENDATIONS
This survey took an in-depth look at the current application security practices of more than 200 companies across different
industries. The data in our study painted a picture of a software industry that on many fronts does not yet have mature
security practices. In addition, many development pros feel that security tools don’t work well in their environment, are too
complex, and require too much security expertise — challenges that their security counterparts don’t always see. Based on
the detailed findings in this report, it’s clear that companies need to:
• Address essential application security with a life-cycle approach to secure development. An important insight
from this study is that many organizations are still struggling with basic security flaws, such as default passwords,
SQL injections, and security misconfigurations. A comprehensive secure development life-cycle (SDLC) approach
will help you address these flaws effectively and elevate your application security maturity to a more prescriptive
and strategic level. This includes the implementation of effective bug reporting and handling, better preventive
security measures, and meaningful security metrics. Additionally, you must strengthen the alignment across
development and security teams. Over time, these practices will effect changes beyond security — such as
expedited time-to-market, better code quality, and closer alignment between security and development — across
the development organization.
• Continue to drive awareness of the changing threat landscape. Concerns over cybersecurity and the changing
threat landscape will drive demand for proactive measures and ultimately a more risk-centric approach to security.
Driving awareness of cyberthreats will help application security professionals articulate business value alignment
and counter some of the intense pressure to bring applications to market as quickly as possible at the expense of
adequate security measures. If organizations don’t improve their application security posture, they will continue to
be plagued by security incidents that result in breaches of personal data and intellectual property, with significant
business and financial consequences.2
• Change the discussion from cost to risk reduction and long-term business value. Instead of discussing only
cost and cost avoidance, application development and security pros should focus on a how a secure application
development process reduces risks and supports long-term business objectives. Rather than address every security
defect, organizations need to adopt more strategic measures, such as testing earlier in the life cycle, focusing on
flaws with a critical impact, and leveraging automated technologies. When it comes to understanding business
objectives, security pros need to advocate a traceable alignment between high-level business objectives like global
expansion, customer confidence, brand building, and investments in application security.
Page 16
18. Forrester Consulting
The Software Security Risk Report
Appendix A: Methodology
“Application security” refers to the mechanisms and processes that help identify and remediate security vulnerabilities
in software applications. These include, but are not limited to, secure design, code-level analysis, code scanning,
fuzzing, and penetration testing.
In July 2012, Coverity commissioned Forrester Consulting to conduct a survey of 250 North American and European
software development influencers. The purpose of the study was to understand how organizations in different
industries implement application security during development and to identify key trends, challenges, and market
directions for application security.
Fifty-nine percent of respondents to Forrester’s survey come from US; the rest are from Canada, France, Germany, and
the UK. Most respondents have an enterprise background: 63% are from companies with 5,000 or more employees and
the rest all come from companies with at least 500 employees. The software and finance and insurance industries are
two of the largest verticals represented by the survey respondents: 20% software and 13% finance and insurance. The
rest are fairly evenly distributed across industries like healthcare, government, utilities, transportation, and high-tech.
All respondents are from companies that conduct software development and, more specifically, web application
development. They use languages and development frameworks that include Java, HTML5, .NET, Flash, and PHP.
Among the respondents, 79% develop software for in-house use, 53% are commercial ISVs, and another 12% are
software outsourcers.
To ensure quality answers to the survey, every respondent had to be either directly involved in software development,
QA testing, or software security, or significantly influence software development, testing, or software security at their
companies. More specifically, 13% are security professionals with application security responsibilities; the rest span
development roles, such as development manager, senior developer, architect, and VP of engineering. Readers who are
interested in a more detailed description of respondent profiles should refer to Appendix B.
Page 17
19. Forrester Consulting
The Software Security Risk Report
Appendix B: Demographics
Figure A
Survey Respondent Demographic Information: Country Origins And Company Sizes
“Approximately how many employees work for your
“In which country do you currently live?”
firm/organization worldwide?”
Canada, 4%
France, 12% 500 to 999, 12%
20,000 or more, 1,000 to 4,999,
Germany, 12% 38% 24%
United States,
59%
United
Kingdom, 12%
5,000 to 19,999,
25%
Base: 240 North American software development influencers and decision-makers
(percentages do not total 100 because of rounding)
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Figure B
Industry
“Which of the following best describes the industry to which your company belongs?”
Software 20%
Financial services and insurance 13%
Government 9%
Healthcare 8%
Energy and utilities 6%
Transportation 5%
Communications, media, and entertainment 5%
Internet 5%
Wholesale trade 4%
Retail 4%
Other 21%
Base: 240 North American software development influencers and decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Page 18
20. Forrester Consulting
The Software Security Risk Report
Figure C
Respondent Profile
“Does your organization develop web applications in
“Which of the following are true for your firm?”
any of the following languages or frameworks?”
Java 100%
We develop software
HTML5 55% 79%
applications for in house use
.NET 50%
We develop commercial
53%
Flash or other Rich Interactive software products or services
47%
Application capabilities.
PHP 38% We are a software outsourcer 12%
Other 5%
Base: 240 North American and European development and information security managers
(multiple responses accepted)
Source: A commissioned study conducted by Forrester Consulting on behalf of Coverity, June 2012
Appendix C: Endnotes
1
Source: “Protect Your Competitive Advantage By Protecting Your Intellectual Property From Cybercriminals,”
Forrester Research, Inc., July 13, 2012.
2
Source: “Application Security: 2011 And Beyond,” Forrester Research, Inc., April 12, 2011.
Page 19