(ISC)²® Study Finds Application Vulnerabilities Continue to Top the List of Cyber Security Concerns

Share Article

2013 Global Information Security Workforce Study Confirms Software Security is Top Concern, but Industry Response is Still Lacking

(ISC)2® (“ISC-squared”), the world’s largest not-for-profit information security professional body and administrators of the CISSP® and CSSLP®, today released additional findings of its sixth bi-annual Global Information Security Workforce Study (“GISWS”). Conducted in partnership with Booz Allen Hamilton by Frost & Sullivan, the GISWS surveyed over 12,000 information and software security professionals worldwide to seek their opinions on trends and issues affecting their industry.

Consistent with the last study conducted in 2011, respondents identified application vulnerabilities as their top security concern. Further, according to the 2013 findings, a significant gap persists between software developers’ priorities and security professionals’ concerns. Application developers continue to view security as an afterthought, the study finds, but security professionals recognize that applications represent the enterprise’s largest attack surface, ranging from mobile phones to iPads, tablets, and online banking tools.

The threat

  •     Application vulnerabilities were identified as the number one security threat – 69 percent of professionals identified it as a high concern
  •     Software is most critical component to secure infrastructure - Above commercial software (61 percent) and hardware (53 percent) solutions, respondents identified secure software development as the highest rated tool necessary to secure an organization’s infrastructure
  •     The bigger the organization, the bigger the problem - Concerns around software security increase with company size, perhaps correlated with the greater amounts of software development in large companies, versus smaller companies that rely heavily on commercial applications
  •     Security’s soft underbelly - Insecure software was a contributor in approximately one-third of attributable security breaches

The cause

  •     Disconnect – Only 21 percent of information security professionals are involved in software development, 20 percent in procurement, and 10 percent in outsourcing. Most respondents (75 percent) become involved during the specification requirements phase of development.
  •     Lack of staff – Around half of employers see their security team as understaffed.

    Other key findings include:

  •     Application vulnerabilities are the number one security concern for 72 percent of C-level executives.
  •     Almost half of security organizations are NOT involved in software development.
  •     Insecure software was a contributor in approximately one third of the 60 percent of detected security breaches in 2011.
  •     Application security, malware, and mobile threats top the list of external concerns.

“Without action, this soft underbelly of business and governmental entities has and will continue to be exposed with serious consequences—data breaches, disrupted operations, lost business, brand damage, and regulatory fines,” commented W. Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director of (ISC)². “Furthermore, deepening engagements in software development cannot occur in isolation or be the exclusive responsibility of the information security workforce. Other relevant functional groups—software developers, application owners, and the quality assurance and testing teams—must also internalize secure software development best practices and engage with information security professionals on a regular basis.”

“Today’s cybersecurity threats and the proliferation of technology leave no room for error when it comes to protecting an organization’s critical data and intellectual property,” said Bill Stewart, senior vice president of Booz Allen Hamilton. “Security professionals must be proactive and develop organization-wide standards for working with third-party vendors to ensure the highest level of cyber protection, and vendors can differentiate their businesses and create value for their clients when they take it upon themselves to develop software that reflects their clients’ security concerns. Everyone – whether the client or third-party supplier – has a responsibility in creating an environment where good cyber hygiene can thrive.”

While attackers and researchers continue to expose new application vulnerabilities, the most common application flaws are previous, rediscovered threats. For example, SQL injection and cross-site scripting (XSS) have appeared on the Open Web Application Security Project (OWASP) Top 10 list year after year over the past decade. This high volume of known application vulnerabilities suggests that many development teams do not have the security resources needed to address all potential security flaws and that there is a clear shortage of qualified professionals with application security skills.

“Organizations realize the potential ramifications of not addressing application security concerns; however, most fail to adequately address them,” stated Michael Suby, Stratecast VP of Research at Frost & Sullivan and author of the report. “Cyber security professionals have a duty to anticipate and remedy vulnerabilities as they arise, but the development community must meet them in the middle and take security concerns more seriously. Without this partnership, we will see more and more successful attacks that could have devastating effects.”

The full study, released in February 2013, can be found here: https://www.isc2cares.org/IndustryResearch/GISWS/.

About (ISC)²

About The (ISC)² Foundation
The (ISC)2 Foundation is a non-profit charitable trust that aims to make the cyber world safer for everyone by supporting cyber security education and awareness in the community through its programs and the efforts of its members. Through the (ISC)2 Foundation, (ISC)2’s global information security expert membership of over 86,000 seek to ensure that children everywhere have a positive, productive, and safe experience online, to spur the development of the next generation of cyber security professionals, and to illuminate major issues facing the industry now and in the future. For more information, please visit http://www.isc2.org/foundation.

About Booz Allen Hamilton
Booz Allen Hamilton is a leading provider of management and technology consulting services to the U.S. government in defense, intelligence, and civil markets, and to major corporations, institutions, and not-for-profit organizations. Booz Allen is headquartered in McLean, Virginia, employs approximately 25,000 people, and had revenue of $5.86 billion for the 12 months ended March 31, 2012.

About Frost & Sullivan
Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and merging economies.

# # #

© 2013, (ISC)² Inc. (ISC)², CISSP, ISSAP, ISSMP, ISSEP, CSSLP, CAP, SSCP and CBK are registered marks of (ISC)², Inc.

Follow (ISC)² on Facebook, Twitter and YouTube.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Michelle Schafer
Merritt Group
Email >

Sarah Bohne
Email >
Follow us on
Visit website