1. Market Research
  2. > Software Market Trends
  3. > Driving to Root Cause Vulnerability Remediation

Driving to Root Cause Vulnerability Remediation

  • December 2013
  • -
  • Frost & Sullivan
  • -
  • 10 pages

Introduction

Executives in charge of their organization’s data and infrastructure security have concerns. Top of the list is application vulnerabilities; that is, the looseness in application software code and logic that provide attackers the means and opportunity to pursue their nefarious activities (e.g., exfiltrate valuable data, steal intellectual property, disrupt operations, and damage the victim’s public reputation). Confirming this concern is a 2012 global survey of information security professionals, commissioned by (ISC)2 and conducted by Frost & Sullivan.
As shown in this chart, percent of security executives rated application vulnerabilities as either a top or high concern. This number one ranking is not exclusive to security executives. Near equal levels of concern were expressed by all categories of security professionals (e.g., security architects, auditors, managers, and security analysts) regardless of industry vertical and company size. In other words, application vulnerabilities are a recognized, pervasive, and significant security concern.

Reducing the number and severity of application vulnerabilities during software development would seem to be the most logical remedy to this situation. Yet, as discussed in this SPIE, involvement in secure software development by security professionals pales relative to their level of concern over application vulnerabilities. Additionally, form and function priorities for application developers keep secure software development at the low end of their priority ladders.
These points notwithstanding, there is reason to be optimistic that secure software development will gain increasing favor among application development and security teams. While far from an immediate sea-change, several factors described in this SPIE are coalescing to move the needle on secure software development.

Limited Involvement in Secure Software Development

As stated in the Introduction, security professionals are not extensively involved in secure software development. This is not to say that there are no security professionals deeply engaged; rather, the degree of involvement pales when compared to the degree of concern expressed by the community of security professionals.
From the survey, there are two prominent data points that highlight this community’s limited involvement. First is how much and where they are involved in software development. The survey points to low personal involvement—only percent of the surveyed security professionals state that they are personally involved in software development; and percent indicated that they are involved in software procurement. Their involvement is, as shown in this chart, also not uniform across the multiple stages of software lifecycle, and is heaviest in specifying requirements. With the potential of application vulnerabilities being introduced at all stages in the software lifecycle, and severity being a function of the evolving threat environment (i.e., through persistence and time, attackers discover vulnerabilities and learn how best to exploit them), this non-uniformity in security professionals’ engagement is disconcerting.

With only a small set of security professionals personally active in either secure software development or software procurement, the question is: which security operations activities are consuming their time and talents? That answer is shown in the chart at the left, which leads to another question. If more attention was placed on secure software development by security professionals, might the time spent on these other security operations activities be reduced? Potentially yes; but the time spent must also be effective; and that requires knowledge and skill—which leads to the second data point on security professionals’ limited involvement in secure software development.
Here too, the survey responses are not promising that the community of security professionals has the set of skills necessary to be effective. Only one percent of the surveyed security professionals claim to have the Certified Secure Software Lifecycle Professional (CSSLP) certification. For a profession that emphasizes certification as a demonstration of proficiency, this too is disconcerting on the effectiveness of security teams in ensuring that applications are designed to operate securely.

Table Of Contents

Driving to Root Cause Vulnerability Remediation
Introduction
Limited Involvement in Secure Software Development
Expanding Risk
Progress in Application Security Scanning Products
Stratecast - The Last Word
About Stratecast
About Frost and Sullivan

View This Report »

Get Industry Insights. Simply.

  • Latest reports & slideshows with insights from top research analysts
  • 24 Million searchable statistics with tables, figures & datasets
  • More than 10,000 trusted sources
24/7 Customer Support

Talk to Amrita

+1 718 303 2019

Purchase Reports From Reputable Market Research Publishers
2016 North American Mobile Enterprise Applications

2016 North American Mobile Enterprise Applications

  • $ 10000
  • Industry report
  • October 2016
  • by Frost & Sullivan

Opportunities within Enterprises The overall research objective was to measure the current use and future decision-making behavior toward mobile enterprise applications, including some specific focus on ...

Global Markets for Machine Vision Technologies

Global Markets for Machine Vision Technologies

  • $ 6650
  • Industry report
  • November 2016
  • by BCC Research

Use this report to: - Gain insight through definitions, concepts, and the roles of the machine vision (MV) industry. - Gain information about the history and development of machine vision (MV) in food ...

Tools and Components for Photonic Applications

Tools and Components for Photonic Applications

  • $ 6650
  • Industry report
  • November 2016
  • by BCC Research

This photonic applications report by BCC Research analyzes the tools and components for photonic application and its market dynamics. Use this report to: - Analyze the various applications for tools and ...


ref:plp2013

Reportlinker.com © Copyright 2016. All rights reserved.

ReportLinker simplifies how Analysts and Decision Makers get industry data for their business.