DATA SECURITY, PLATFORM SECURITY, SOFTWARE SECURITY

Security Compass Releases New Study: 2022 Developer Perspectives on Application Security

Security Compass | August 26, 2022 | Read time : 02:50 min

Security Compass
Security Compass, a leading cybersecurity solution provider, has published the results of a research study examining developer views on application security, including the challenges and opportunities they face in their secure development efforts. The report, “2022 Developer Perspectives on Application Security,” provides a deep dive into security maturity, threats, requirements, tools, resources, and training.

In order for software developers and security teams to effectively collaborate and ensure that a company’s software products are secure, developers need automated, current, relevant, and actionable JITT training embedded into their development tools and processes. Security Compass’ research found that while most developers believe their enterprise has a mature security posture, almost half find it challenging to stay up to date with current security and compliance-related activities. The “2022 Developer Perspectives on Application Security” study raises awareness about how automation can solve many challenges for developers in secure application development.

Key takeaways from the study include:

  • The number one most important means to thwarting security threats according to developers is automated threat modeling (46% claiming it was “mission critical” and another 36% indicating it was “quite important”).
  • 42% of developers who have been assigned requirements related to security and compliance find it challenging to stay up to date with current security and compliance-related activities.
  • 28% of respondents claim that scope “creep” in security compounds challenges, with another 19% believing that security processes take too much time.
  • Overall, developers are in favor of security training, with 32% of developers opting to pursue training on their own (63% of respondents reported being mandated to do training).
  • Developers from smaller companies ($10M to $100M) were more than twice as likely (31% vs. 14%) as those from the largest companies ($5B+) to use ad hoc or reactive means to “gate-keep” releases from a security perspective.
  • On average, 34% of software requirements are related in some way to security and compliance, yet only 25% of companies have shifted security left into the Design Stage of software development.

“When building secure software, developers must be system thinkers. Ideally, they engage secure methods early in the design process, engage with key security personnel and stakeholders and insist on automated cybersecurity tools that efficiently guide them throughout the SDLC," said Rohit Sethi, CEO of Security Compass. “Software built with the needs of software developers at the forefront is essential to the task of cybersecurity, and companies that want to attract and support developers in their efforts to build cyber-resilient software need to look to integrated cybersecurity software. This is reinforced by Security Compass’ study that software that provides just-in-time training (JITT) and guidelines for software developers is essential for accomplishing these goals.”

For more information about the adoption of security and compliance processes by developers across organizations of various sizes, download the full “2022 Developer Perspectives on Application Security” study.

About the Survey
Security Compass commissioned Golfdale Consulting to conduct this survey research project. The survey was conducted in Q2 2022 and was based on 250 respondents from the US and UK markets working in companies ranging from $10 million to $10 billion in size. Half of the developers surveyed worked for technology companies, while the other half came from enterprises ranging from manufacturing to insurance . Respondent roles included a mix of developers from software development/DevOps (62%), IT infrastructure and back office (22%) and cyber/information security (14%).

About Security Compass
Security Compass, a pioneer in application security, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows. Its flagship product, SD Elements, helps organizations accelerate software time to market and reduce cyber risks by taking an automated, developer-centric approach to threat modeling, secure development, and compliance. Security Compass is the trusted solution provider to leading financial and technology organizations, the U.S. Department of Defense, government agencies, and renowned global brands across multiple industries.

Spotlight

Over the last several years, there has been significant security industry focus on Advanced Persistent Threats (APTs), and rightly so. Even the most sophisticated security tools struggle to detect APTs. However, without the fundamentals of security in place, attacks don’t need to be advanced to succeed. This report looks at cybercrime data across industries and arrives at a disturbing conclusion: Organizations aren’t paying enough attention to security basics. Read on to learn how less advanced attacks compromise major organizations and how you can prevent them from compromising you.

Spotlight

Over the last several years, there has been significant security industry focus on Advanced Persistent Threats (APTs), and rightly so. Even the most sophisticated security tools struggle to detect APTs. However, without the fundamentals of security in place, attacks don’t need to be advanced to succeed. This report looks at cybercrime data across industries and arrives at a disturbing conclusion: Organizations aren’t paying enough attention to security basics. Read on to learn how less advanced attacks compromise major organizations and how you can prevent them from compromising you.

Related News

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

Saviynt Completes the Australian Information Security Registered Assessor Program Assessment

Saviynt | November 08, 2022

Saviynt, a leading provider of intelligent identity and access governance solutions, today announced it has successfully completed the Information Security Registered Assessor Program (IRAP) assessment. As an important validation for security vendors doing business with government agencies in Australia, the IRAP assessment confirms that Saviynt's Enterprise Identity Cloud (EIC) is assessed at the PROTECTED level. Validating the effectiveness of security controls offered by the Enterprise Identity Cloud for storing, processing, and communicating information up to the PROTECTED information classification level. The IRAP program enables Australian government customers to validate that appropriate controls are in place for addressing the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC). An independent IRAP assessor examined the Saviynt solution, including people, processes, and technology, against the requirements of the ISM. "The IRAP assessment is the latest milestone in Saviynt’s rapid growth in the Asia Pacific region. "It allows us to provide our government and commercial Enterprise Identity Cloud customers in the APAC region with the confidence that their data is fully protected from unauthorized access when leveraging cloud services.” Dan Mountstephen, Senior VP, Asia Pacific, Saviynt Saviynt’s Enterprise Identity Cloud is the only converged identity platform that provides unmatched levels of visibility and security. By combining identity access management, cloud privileged access management, application access management for cross-application separation of duties, third-party access management, and data access governance in a converged platform, Saviynt helps modern enterprises scale cloud initiatives while also solving the toughest security and compliance challenges. About Saviynt Saviynt's Enterprise Identity Cloud helps modern enterprises scale cloud initiatives and solve the toughest security and compliance challenges in record time. The company brings together identity governance (IGA), granular application access, cloud security, and privileged access to secure the entire business ecosystem and provide a frictionless user experience.

Read More

DATA SECURITY,PLATFORM SECURITY,SOFTWARE SECURITY

Mimecast Partners With Okta to Safeguard Enterprises from Insider Threat Attacks

Mimecast | November 09, 2022

Mimecast Limited, an advanced email and collaboration security company, today announced a new strategic integration with Okta, Inc., one of the leading independent identity providers, designed for enterprise customers to proactively mitigate the increasing risk and complexity of insider threat attacks. Building on Mimecast’s extensive library of API integrations, the integration partnership will further enable organizations to Work Protected™ amidst the proliferation of social engineering attacks targeting their hybrid workforce, customers, and supply chain. The integration of these solutions can empower strained IT teams with an expanded arsenal of AI-enabled tools and technologies that strengthen protection at the intersection of business communications, people, and data. The increased prevalence and damaging ramifications of insider threat attacks are well-documented. IBM’s 2022 Cost of a Data Breach Report found that stolen or compromised credentials were the most common cause of data breaches over the previous year, serving as the primary attack vector in nearly 20% of breaches. They also had the longest lifecycle of all breaches, taking approximately 243 days to identify and another 84 days to contain, and resulted in an average of $4.50 million in losses. However, according to the same study, organizations with fully deployed security AI and automation experienced breach lifecycles that were 74 days shorter, on average, and cost a median of $3.05 million less. By integrating Mimecast’s purpose-built, cloud-native email and collaboration security with Okta’s world-renowned identity access management offerings, organizations can deploy AI-enabled automation to help mitigate the impact of compromised account activity – streamlining human workflows through real-time threat intelligence sharing and automated response actions across two best-of-breed solution architectures. Optimized for rapid deployment flexibility and simplicity of use, the integration is engineered to allow administrators to seamlessly assume granular control within minutes regardless of their level of IT expertise. “Our integration partnership with Okta comes at a pivotal time as insider threats have emerged as a critical vulnerability for the modern hybrid enterprise. “This integration is a microcosm of the Mimecast mission to extend our services beyond email and collaboration security alone. Joining forces with a fellow industry pioneer like Okta enables us to execute a vital ‘team sport’ approach to cybersecurity, building on the existing security investments, capabilities, and tools of our customers to ensure their organizations remain safe.” Jules Martin, Mimecast vice president of ecosystems & alliance “With the ever-evolving nature of the cyber threat landscape, it’s imperative that we amplify our identity access management services to address new and emerging attack vectors,” said John Grundy, Okta senior strategic alliance manager. “This integration partnership with Mimecast enables us to do exactly that, creating a holistic automation framework that empowers enterprises to enhance the efficiency of their insider threat detection and response posture.” Mimecast, a Gold Sponsor of Oktane22, will be presenting a live demo of the integration at the annual conference on November 8-10, 2022. Mimecast: Work Protected™ Since 2003, Mimecast has stopped bad things from happening to good organizations by enabling them to Work Protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.

Read More

DATA SECURITY, ENTERPRISE IDENTITY

Illumio Introduces New Solution to Stop Endpoint Ransomware from Spreading Across the Hybrid Attack Surface

Illumio | September 29, 2022

Illumio, Inc., the Zero Trust Segmentation company, today announced Illumio Endpoint®, a reimagined way to prevent breaches from spreading to clouds and data centers from laptops. Hybrid work has expanded the attack surface, introducing new threats and making organizations more vulnerable, so it’s become increasingly important for employees to have secure access to applications and data wherever they are located. Unlike other Zero Trust Segmentation solutions, Illumio Endpoint lets your policy follow your teams’ laptops wherever they work, whether at home, in the office, or at a coffee shop. With Illumio Endpoint, the first device that gets infected will also be the last. Organizations are more interconnected and vulnerable in hybrid workplaces, and the attack surface is growing increasingly complex. Additionally, attacks on hybrid work environments are more expensive, costing an average of about $600K more than the global average. Even with endpoint detection and response tools in place, endpoints still get breached – according to ESG, 76 percent of organizations experienced a ransomware attack in the past two years alone. Illumio Endpoint includes: Extended visibility and segmentation policy controls for macOS and Windows devices, allowing organizations to see risk and stop attacks from spreading from laptops, workstations, and VDIs. A single, unified console to see and manage visibility and segmentation policy across endpoints, clouds, and data centers, making Zero Trust Segmentation easier, faster, and more efficient for security teams. Work from anywhere support with segmentation policy that follows the device, so organizations have the confidence that their networks are secure, and their employees can remain productive while working from anywhere. The ability to control application access so users can only reach the necessary applications from their device, not the entire data center and cloud, minimizing the organization's risk from vulnerable or compromised endpoints. "Before Illumio, we had only a slim idea of what kind of communications were running across our network. But with Illumio, we clearly see exactly what's connecting to individual endpoints. David Ault, VP of Information Security at Telhio Credit Union “The hybrid workforce is here to stay, which exposes organizations to a more complex attack surface and more risk, particularly on the endpoint,” said Mario Espinoza, Chief Product Officer at Illumio. “It’s important to have tools that can detect and respond to an identified breach, but unidentified attacks can spread throughout the organization to access critical data and assets when Zero Trust Segmentation is not in place to proactively contain the breach. With Illumio Endpoint, security leaders will gain the comprehensive protection needed to build resilience to attacks throughout their hybrid IT and as employees work from anywhere.” “Ransomware and other cyberattacks often involve end user devices somewhere in the attack chain, moving laterally on to other higher-value assets,” said Dave Gruber, Principal Analyst, ESG. “Because attackers continue to find ways in and move laterally fast, prevention, detection and response mechanisms can fall short stopping these fast-moving attacks. Containment strategies such as Zero Trust Segmentation across endpoint devices can proactively stop ransomware and other fast-moving attacks from spreading to critical infrastructure and assets, reducing risk.” About Illumio Illumio, the Zero Trust Segmentation company, stops breaches and ransomware from spreading across the hybrid attack surface. The Illumio ZTS Platform visualizes all traffic flows between workloads, devices and the internet, automatically sets granular segmentation policies to control communications, and isolates high-value assets and compromised systems proactively or in response to active attacks. Illumio protects organizations of all sizes, from Fortune 100 to small business, by stopping breaches and ransomware in minutes, saving millions of dollars in application downtime, and accelerating cloud and digital transformation projects.

Read More