94% of CISOs Worry About App Compromise
A new study of one hundred CISOs has revealed that 94% are concerned about breaches in their publicly facing assets in the next 12 months, particularly within their applications.
The study, from Bugcrowd, highlights a key challenge facing organizations: As more applications become publicly accessible, more breaches are occurring at the application level. However, IT organizations are strapped when it comes to security: 71% of respondents face resourcing or budgeting issues within their organizations.
There are a number of reasons that organizations are finding themselves at a disadvantage: The cybersecurity job gap is at an all-time high; attack surfaces are complex and large as ever; and traditional application security testing methods just aren’t cutting it.
To keep up, security leaders are continuing to prioritize application security spending. Key investment areas include applications hosted in the cloud (59%), public facing web applications (57%), mobile applications (39%); and APIs (32%).
CISOs for now are using, on average, 4.8 application security tools and services. According to the study, outside of crowdsourced programs the top three include penetration testing (80%), incident response processes (79%) and application vulnerability scanning (71%). Others include threat modeling (50%), secure code review (54%) and app security training (54%).
"Security methodologies within today’s IT departments aren’t cutting it,” said Jason Haddix, head of Trust and Security, Bugcrowd. "Along with budgeting challenges, modern application security teams will continue to face security issues as long as investment areas continue to diversify. Reducing the risks associated with breaches begins with improving security culture throughout the organization, and finding a solution that scales within AppSec budgeting constraints. Unless you are a unicorn, you can’t staff and retain the headcount needed for a proper security program. DAST and SAST solutions only get you part way. It’s time for a real force multiplier in security.”
Source: Information Security Magazine