Reducing Enterprise AppSec Risks: Ponemon Report Key Takeaways

Reducing AppSec Risks - Ponemon Report Key Takeaways
Table of Contents

Ponemon Institute’s Reducing Enterprise Application Security Risks: More Work Needs to Be Done looks at the reasons why many enterprises consider the application layer to be the highest security risk. Ponemon Institute, in partnership with Mend.io, surveyed 634 IT and IT security practitioners about their enterprises’ approach to securing applications. For this study, enterprise application security refers to the protection of applications from external attacks, privilege abuse, and data theft. 

Applications are more vulnerable to attack

More than ever before, enterprises are concerned about application security. According to the survey, the top concern was hacks to insecure applications, with almost half of high-performing enterprises citing it as their greatest overall threat.

What Kinds of Hacks Concerns Your Organization the Most?

Kinds of attacks that concern enterprises the most.

Enterprises are making application security a priority

At any one point in time, an average of 2,672 business applications are deployed within the organizations represented in this research, and 30 percent of these applications are considered business critical. Securing all these disparate applications is no easy feat.

The good news is that more organizations are beginning to make application security a priority as shown by the adoption of a wide range of application security testing (AST) tools.

How does your organization secure applications?

More than one answer permitted.

How enterprises secure applications.

Despite this increase in investment, many respondents reported a significant gap between the perceived risk of application security and the actual budget allocated to address it. More money is still being spent on network security even though the majority of those surveyed say it represents a lesser risk.

Addressing vulnerabilities in enterprise applications

Why are applications such a big security risk? According to the enterprises surveyed, application security is challenging because current solutions don’t offer fast remediation of vulnerable applications and also suffer from a high rate of false positives. Furthermore, monitoring, detecting, and preventing attacks at the application level is still difficult. Unfortunately, the problem is only getting worse. The majority of respondents say in the past year alone that their enterprises’ portfolio of applications has become more vulnerable to attack.

Why is it difficult to remediate vulnerabilities in applications?

More than one answer permitted.

Why it is difficult to remediate vulnerabilities

The research shows several reasons why business-critical applications continue to be at risk and why more work needs to be done:

  • Remediating applications in production is slow work. More than half of respondents say it takes days, weeks, and even months to patch an application in production mode after the detection of a vulnerability.
  • Collaboration between the application development and security teams is limited, according to 65 percent of respondents.
  • Security is not adequately emphasized during the development of new applications, forcing both developers and security teams to play catchup.
  • More investment needs to be made in application security, which isn’t funded at the same level that network security is. 
  • Fewer organizations are building security features into applications under development. In 2020, only 21 percent of respondents say their organizations build security features into applications, a significant decrease from respondents five years ago.
  • Security is not emphasized during the development of new applications. 

How enterprises reduce application security risk

Some enterprises are more successful in reducing their overall risk when it comes to application security. In the report, we call them “high performers.” These enterprises follow several best practices to reduce their application security risk.

To better secure their applications to reduce risk, these organizations take the following steps:

  • They establish a structured approach to build a secure software development life cycle (SSDLC) that is applied consistently across the enterprise.
  • They ensure the SSDLC builds security features in at the design and development phases.
  • The development and security teams operate in a highly collaborative environment to ensure the mitigation of application security risks.

The bottom line is that successful enterprises are those that make application security a priority throughout the SDLC from the very first stages of planning and development through to applications in production. Reducing application security risk depends in large part on an organization’s willingness to invest resources in it. Those that are most successful are both continuously detecting and remediating vulnerabilities using robust AST tools and have development and security teams that are constantly collaborating to secure the enterprise.

Build a proactive AppSec program

Recent resources

Mend.io is a Strong Performer in the Forrester Wave™ Software Composition Analysis, Q4 2024

See why Mend.io is recognized as a Strong Performer in The Forrester Wave™ Software Composition Analysis (SCA) Q4 2024 report.

Read more

Mend.io & HeroDevs Partnership: Eliminate Risks in Deprecated Package

Announcing an exclusive partnership between Mend.io and HeroDevs to provide support for deprecated packages.

Read more

All About RAG: What It Is and How to Keep It Secure

Learn about retrieval-augmented generation, one complex AI system that developers are using.

Read more