When it comes to application security within organizations, there's a significant gap about it between executives and practitioners, according to a study released Tuesday by the Ponemon Institute and Security Innovation.
While a majority of executives (67%), directors (64%) and managers (58%) believe their company's application security program is mature, less than a third of technicians (27%) and staff (33%) buy into that perception, according to the study.
Executives see their organizations' application security program as far more mature than those at the managerial level and below, the study found. "This may be due to poor communication and collaboration among the different roles involved in application security.
"Such misalignment of priorities makes it difficult for practitioners to obtain the resources necessary to invest in application security and make it an integral part of the overall risk management strategy," the study said.
The disconnect in perceptions means organizations may not always get the best bang for their security buck. "It may be why we're spending more dollars on areas of lower risk," Larry Ponemon, founder and chairman of the Ponemon Institute, said in an interview.
"For example," he continued, "network security is still the largest ticket item in the security arsenal and application security is relatively low, even though many practitioners view the application layer as presenting a higher risk than the network layer or other parts of the security infrastructure."
Ed Adams, president and CEO of Security Innovation, an application security company, said the software layer, by far, has the most security vulnerabilities -- more than the network layer, more than the operating system layer.
"Yet, you've got the majority of the IT security spend going into fire walls and intrusion detection systems and intrusion prevention systems," Adams said in an interview.
Perception discrepancies may help explain why security problems constantly nag applications used by companies, he added. "You've got the folks who are actually doing the work saying two out of three times, 'No, we do not have a mature applications security program,'" he said. "Yet, the executives and directors who own the budget, two out of three of them think they do have a mature application security program.
"This perception gap is, to me, telling of why we have so many problems with software applications continuing to be hacked," Adams said. "You've got management not really having a clue of what's going on with software development.
A similar perception chasm appears relative to training. Most executives (71%) and directors (66%) said they believed their organization's internal training and education programs were being updated to ensure that development teams can handle the latest threats, application security policies and best practices. Only one in five technicians (19%) and staff (20%) agreed with the brass on that subject.
"There may be a training program being rolled out," Adams said, "but it's clearly ineffective for the folks that are getting trained.
"Given the changing pace of technology, it's imperative that you keep your teams up to speed with respect to security issues," he continued. "The technical teams clearly feel like they're getting left behind and not trained, whereas executives and directors think everything is fine in that respect."
In their study, the researchers identified five stages in the development of application securityin a typical organization. It starts with "no focus on security," moves to reacting to security problems as they rise and ends up at standardized and defined policies, threat modeling and continuous process improvement based on risk metrics and analysis of discovered vulnerabilities.
"Companies that invest in people and process mature through those five levels faster and with fewer computer incidents than organizations that first invest in technology and tools," Adams said. "That's a data point that I'd like to shout off every roof top and get in front of every CEO and CFO, because they're the ones making those budget decisions."
Read more about application security in CSOonline's Application Security section.