Portuguese English German

My take on 2016 SANS State of Application Security Report

SANS, an awesome organization that provides internationally recognized security courses and certifications, published a 2016 State of Application Security: Skills, Configurations, and Components report. Despite not having a balanced representation of companies based on their industries (the majority of companies are primarily from the financial industry) and SANS naturally being interested in promoting the need for security awareness due to their business model, this report brought some interesting findings that I'd like to highlight here:

Application Security Isn't Mature

After all the hacks and damage to companies that we've seen in the news, more than 40% of the surveyed companies are still immature or have no application security program at all. Only 3.5% claim to be "very mature." I really wonder what needs to happen for them to start considering security. Perhaps the optimism bias is stronger than I thought.

SANS 2016 Graph

Looking at the data, it's possible to see more clearly who doesn't care more than who. And the award goes to the Healthcare industry, with 70% of respondents classifying their application security program as 'immature'. Alternatively, the award could go to the Education industry, with 50% of 'immature' programs and an additional 17% that don't even have plans for application security at all.

Lower interest in protecting commercial applications

SANS 2016 Graph

Looking at the graph above (found on page 11), it's possible to see an interesting pattern. The effort put into protecting applications for which the company doesn't have access to the source code (commercial software) is only half of what is put into protecting in-house developed applications (with access to the source code).

For attackers, this means that attacking commercial applications has twice the chances of succeeding. Quite scary, huh?

Vendors are now required to follow security policies

In the 2016 survey, 40% of respondents have documented approaches and policies that third-party software vendors must adhere to, while in 2015, only 28% had any comprehensive vendor risk management program.

It's getting tougher for vendors to be approved without security. I wrote about how security makes you money and mentioned that security is now part of the business. If you forget security, chances are you will lose all the (serious) RFPs.


There are other findings in this report, of course, but these are the ones that grabbed my attention as more 'not so obvious' points. Another important finding explains that the top challenge of security programs is the lack of skills or education, but this is expected, so no kudos for this finding.

I hope you have enjoyed it and take your time to read the report and discover other interesting findings.

Thank you.

Share on Twitter Share on Facebook Share on LinkedIn Share on Hacker News

Popular Posts