Study: Application Vulnerabilities Are No. 1 Threat

Shortage of training among developers is a key cause of high vulnerability rates, (ISC)2 survey says

Dark Reading Staff, Dark Reading

May 16, 2013

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Application vulnerabilities are the top concern of security professionals, but development teams still are not well-trained in security issues, (ISC)2 warned this week.

In a release published Tuesday, (ISC)2 -- the security industry's largest professional association -- cited data from its recent 2013 Global Information Security Workforce Study, in which 69 percent of security pros rated application vulnerabilities as a high concern -- the highest rating of any threat in the survey.

Insecure software was a contributor in approximately one-third of attributable security breaches, according to the (ISC)2 study.

At the same time, the study cites a lack of security training in the application development process. Only 21 percent of information security professionals are involved in software development, 20 percent in software procurement, and 10 percent in outsourcing, (ISC)2 says. Most respondents (75 percent) become involved during the specification requirements phase of development.

Recent studies from Veracode and Cenzic indicate that most applications, even those that have been deployed for some time, contain security vulnerabilities.

"If we're going to eliminate vulnerabilities, security has to be a part of the development process all the way through, from design to retirement of the application," says Hord Tipton, executive director of (ISC)2. "It can't be bolted on after the application has already been developed."

(ISC)2 has developed the CSSLP, a program for certifying developers and security professionals in application security, but Tipton says it is experiencing slow growth of about 20 percent annually. Unlike (ISC)2's general security certification, the CISSP, the CSSLP is not frequently used as a requirement in hiring, he says.

"Nobody's really demanding that this problem get fixed," Tipton says. Almost half of security organizations in the study said they are not involved in the application development process at all, he notes.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights