2022年應(yīng)用安全報(bào)告:重要趨勢(shì)與挑戰(zhàn)_第1頁(yè)
2022年應(yīng)用安全報(bào)告:重要趨勢(shì)與挑戰(zhàn)_第2頁(yè)
2022年應(yīng)用安全報(bào)告:重要趨勢(shì)與挑戰(zhàn)_第3頁(yè)
2022年應(yīng)用安全報(bào)告:重要趨勢(shì)與挑戰(zhàn)_第4頁(yè)
2022年應(yīng)用安全報(bào)告:重要趨勢(shì)與挑戰(zhàn)_第5頁(yè)
已閱讀5頁(yè),還剩28頁(yè)未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

2022

APPLICATION

SECURITY

REPORT

INTRODUCTION

Businessapplicationsareincreasinglyunderattackfromadvancedthreatsandmaliciousactorsthatarelookingtogainaccessthroughvulnerablesoftware.Organizationsaretryingtocounterthesethreatsbyutilizingvariouscontrolsforsecuringapplications,suchasvulnerabilityscanning,anti-malwaresoftware,penetrationtesting,andidentityandaccesscontrols.

Togaindeeperinsightsintothestateofapplicationsecurity,CybersecurityInsidersconductedanin-depthstudyinpartnershipwithBeyondSecuritybyHelpSystemsinJune2022.Theresultingreportrevealsthelatestapplicationsecuritytrends,howorganizationsprotectcriticalapplications,andwhattoolsandbestpracticescybersecurityprofessionalsprioritizetofind,fixandpreventvulnerabilitiesinnext-genapplications.

Keyfindingsinclude:

?Forty-fourpercentoforganizationshaveexperiencedapplicationbreachesorcompromisesinthepast,and20%havebeenattackedjustwithinthelastyear.

?Thebiggestbarrierstobetterdefendingagainstcyberthreatsincludethelackofskilledpersonnel(39%),followedbylowsecurityawarenessamongemployees(35%),andlackofbudget(35%).

?Applicationsecurityisgainingimportanceformostorganizationsasamajority(51%)projectabudgetincreaseoverthenext12months.Aboutathird(34%)believetheirapplicationsecuritybudgetswillremainflat.

WewouldliketothankBeyondSecurity

,byHelpSystems

,forsupportingthisimportantresearch.Wehopeyouenjoythisreport.

Thankyou,

HolgerSchulze

HolgerSchulze

CEOandFounder

CybersecurityInsiders

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|2

APPLICATIONSECURITYCONCERNS

Whenaskedabouttheirbiggestapplicationsecurityconcerns,cybersecurityprofessionalsmostfrequentlymentionedprotectingdata(44%)astheirkeyconcern.Thisisfollowedbythechallengeofkeepingupwiththerisingnumberofvulnerabilities(42%),threatandbreachdetection(38%)andsecuringcloudapps(37%).

Whatareyourbiggestapplicationsecurityconcerns?

38%37%

Threatdetection/

breachdetection

Securing

cloudapps

42%

Keepingup

withtherising

numberof

vulnerabilities

44%

Protecting

data

37%

Securing

applications

wedevelop

29%

Malware

Effectivethreatmodeling27%|Effectivelyprioritizingandremediatingvulnerabilitiesthatposethemostrisk26%|Meetingregulatory/compliancerequirements26%|Securingmobileapps26%|Securingbusinessapps(ERP,etc.)23%|Meetingcustomers’securityneedsandrequirements21%|Securingopensourcesoftware20%|SecuringEmbedded/IoT/hardware17%|Securingcommercialoff-the-shelfsoftware16%|SecuringBlockchain6%|Don’tknow/other6%

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|3

APPLICATIONSATRISK

So,whichtypesofapplicationspresentthehighestsecurityrisks?Customer-facingwebapplicationstopsthelist(42%),followedbylegacyapps(40%).Lessfrequentlymentionedaremobileapps(30%),desktopapplications(28%),andinternal-facingwebapps(26%).

Whichtypesofapplicationspresentthehighestsecurityrisktoyourbusiness?

Customer-facing

webapplicationsLegacyapplicationsMobileapplications

Desktop(client)applications

Internal-facingwebapplications

Businessapplications(ERP,SCM,MES,HRSRM,etc.)

Embedded/IoTsoftwareandfirmware

Securingblockchainapplications

42%

40%

30%

28%

26%

26%

17%

7%

Don’tknow/other12%

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|4

39%

35%

BARRIERSTOBETTERDEFENSES

Avarietyofbarriersareinhibitingorganizationsfromadequatelydefendingagainstcyberthreats,andnoneofthemhastodowithsecuritytechnologiesdirectly.Atthetopofthelistaretwo“peopleissues”:theperenniallackofskilledpersonnel(39%)followedbylowsecurityawarenessamongemployees(35%).Nextarelackofbudget(35%),lackofcollaborationbetweendepartments(29%),andlackofmanagementsupport(26%).

Whichofthefollowingbarriersinhibityourorganizationfromadequatelydefendingagainst

cyberthreats?

35%

Lackofskilledpersonnel

Lowsecurity

awarenessamong

employees

Lackof

budget

29%

Lackof

collaboration

betweenseparate

departments

26%

Lackof

management

support/

awareness

22%

Toomuch

datatoanalyze

21%

Poorintegration/

interoperability

betweensecurity

solutions

Lackofinvestmentineffectivesolutions20%|Inabilitytoprioritizevulnerabilitiesbasedonrisk20%|Lackofcontextualinformationfromsecuritytools13%|Inabilitytojustifyadditionalinvestment13%|None7%|Notsure/other10%

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|5

COMPROMISEDAPPS

Forty-fourpercentofsurveyedorganizationshaveexperiencedapplicationbreachesorcompromisesinthepast,andofthose,20%hadbeenattackedjustwithinthelastyear.Thealarmingnewsisthatonethirdofsurveyparticipants(32%)arenotsureiftheyhaveexperiencedasecurityattackagainstapplications.

Whenwasthelasttimethatoneofyourcompany’sapplicationswasbreached/compromised?

Withinthelast5years

Withinthelastyear

Morethan5yearsago

Withinthelastmonth

Never

Don’tknow/unsure

18%

15%

44%

6%

5%

oforganizationsconfirmedtheyexperiencedapplicationbreachesorcompromisesinthepast

24%

32%

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|6

ATTACKSAGAINSTAPPLICATIONS

Recentyearshaveseenrapidgrowthinvolumeandsophisticationofattacks,andthesurveyanswersreflectthistrend.Notsurprisingly,malwareremainsthemostcommonattackvectoragainstapplications(31%),followedbydistributeddenial-of-serviceattacks(23%)andapplicationmisconfiguration(21%).Othercommontypesofattacksincludestolencredentials(20%),exploitsofsoftwarevulnerabilities(18%),andbruteforceattacks(17%).

Whichofthefollowingsecurityattacksagainstapplicationshasyourorganizationexperienced

overthepast12months?

31%

Malware

20%

Stolen

credentials

23%

DDoS

18%

Software

vulnerabilityexploit

21%

Application

misconfiguration

17%

Brute

force

Cross-sitescripting16%|Unpatchedlibrary15%|Informationleakage15%|Webfraud14%|SQLinjection13%|Contentspoofing10%|Clickjacking7%|Cross-siteregistry7%|MitM/MitB4%|Other6%

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|7

APPLICATIONSECURITYPROGRAM

Fororganizationsthathaveadedicatedapplicationsecurityprograminplace,in-housemanagementremainsthefavoriteoption(39%).Nearlyascommonisacombinationofin-houseandoutsourcedapplicationsecurity.Onlyaminority(9%)relyexclusivelyonoutsourcingfortheirapplicationsecurity.Aminorityoforganizations(9%)relyexclusivelyonoutsourcingfortheirapplicationsecurityneeds.

Howisyourapplicationsecurityprogramsourced?

In-house

39%

9%

Outsourced/

througha

managedservice

36%

Acombination

ofin-houseand

outsourced

9%

Nosecurity

programinplace

Don’tknow/unsure7%

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|8

SECURECODINGPROCESSES

Manycompaniesarefacingpressuretogetnewsoftwaredevelopedquickly.Butdoesthe“rushtorelease”causeapplicationdeveloperstoneglectsecurecodingproceduresandprocesses?Themostcommonanswerisyes,accordingto45%oftherespondents.Only30%saidtheydonotneglectsecurecodingprocesses,and25%arenotsure.

Doesthe“rushtorelease”causeapplicationdevelopersinyourorganizationtoneglectsecure

codingproceduresandprocesses?

45%

YES

25%

Notsure

30%

NO

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|9

AUTOMATICSECURITYTESTING

Forty-sixpercentoforganizationsdonotautomatesecuritytestingduringtheirsoftwarelifecycle.Ofthe54%oforganizationsthatautomatesecuritytesting,itisdoneatmultiplestagesofthesoftwarereleaselifecycle.Themostpopularstageisduringthesoftwaretestingphase(48%).Thisisfollowedbyautomaticsecuritytestingduringmonitoring(31%)andcodedevelopment(29%).

Doyouautomatesecuritytestinginyoursoftwarereleaselifecycle?

46%

54%

YES

NO

Whatstageinyoursoftwarereleaselifecycledoyouautomatesecuritytesting?

31%

Monitoring

15%

Planning

29%

Code

development

16%

Operation

review

23%

48%

Testing

Product

release

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|10

MULTIPLESECURITYSCANNERS

Utilizingmultiplesecurityscannerscreatesthechallengeofcorrelatingandtriagingalertsandvulnerabilities.Formostorganizations,thismeansmanualinspectionoflogsandalerts(59%)–atimeandresourceintensiveapproach.Morethanathirduseexcelspreadsheetsfortracking(35%),closelyfollowedbyJIRA/SNOWdashboards(33%).

Howdoyoucorrelateandtriagevulnerabilitiesfrommultiplescanners?

59%

Excel35%

33%

Third-party

analyticstool

JIRA/SNOWdashboards

3%

spreadsheets

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|11

It'shardtofindorhirepeoplewiththerightskills

It'stooexpensivetopentestasmanyapplicationsaswewantto

16%

12%

11%

6%

It'shardtogetissuesfixed

PENTESTINGCHALLENGES

Themostchallengingaspectofpenetrationtestingapplicationscontinuestobefindingpeoplewiththerightskillset,accordingto25%ofsurveyrespondents.Thisisfollowedbycostbarrierspreventingorganizationsfrompentestingasmanyapplicationsastheywouldlike(16%)andasfrequentlyasdesired(13%).

Whatisthebiggestchallengeregardingpentestingapplications?

25%

It'stooexpensivetopentestourapplicationsasfrequentlyaswewantto

13%

Toolsandscanningservicesaren'teffectiveand/orproducetoomuchnoise

13%

Lackofintegration

withtheSDLC

Pentestreportsaren'teasytounderstand

Other4%

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|12

APPLICATIONSECURITYBUDGET

Afairlyreliableindicatorfortheimportanceofaprograminanorganizationistheallocationofresourcestotheprogram.Bythatmeasure,applicationsecurityisgaininginimportanceformostorganizations-amajority(51%)projectsabudgetincreaseoverthenext12months.Aboutathirdbelievetheirappsecbudgetswillremaintheflat(34%).Only15%saytheirbudgetislikelytodecline.

Howisthebudgetforsecuringyourapplicationschangingoverthenext12months?

34%

Staythesame

51%

Increase

15%

Decrease

Ifthebudgetforsecuringyourapplicationwillincrease,indicatebyhowmuch.

41%

15%

15%

20%

9%

1-5%

6-10%

11-15%

16-20%>20%

2022APPLICATIONSECURITYREPORTCopyright?2022

CybersecurityInsiders

.AllRightsReserved.|13

METHODOLOGY&DEMOGRAPHICS

The2022ApplicationSecurityReportisbasedontheresultsofacomprehensiveonlineglobalsurveyof325cybersecurityprofessionals,conductedinJune2022,togaindeepinsightintothelatesttrends,keychallenges,andsolutionsforapplicationsecurity.TherespondentsrangefromtechnicalexecutivestomanagersandITsecuritypractitioners,representingabalancedcross-sectionoforganizationsofvaryingsizesacrossmultipleindustries.

CAREERLEVEL

4%3%

20%

10%

14%

19%

18%

12%

ConsultantOther

Manager/SupervisorSpecialistCTO,CIO,CISO,CMO,CFO,COODirectorVicePresidentProjectManager

DEPARTMENT

8%5%4%4%4%

48%

16%

11%

ITSecurityITOperationsEngineeringProductManagementComplianceOperationsSalesOther

COMPANYSIZE

10%

15%

16%

21%

8%

7%

23%

Fewerthan1010-99100-499500-9991,000-4,9995,000-10,000Over10,000

INDUSTRY

6%5%5%5%5%5%

25%

19%

17%

8%

Technology,Software&InternetFinancialServicesHealthcare,Pharmaceuticals&BiotechComputers&ElectronicsGovernment

ProfessionalServicesEducation&ResearchTelecommunicationsNon-ProfitOther

RESOURCES

60

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論