Current Practices in Application Security

Based on Aberdeen's Securing Your Applications benchmark study of more than 150 worldwide organizations (August 2010), the average respondent supports over 130 deployed applications.

These are in turn supporting an average of approximately 6,800 end-users — part of an overall end-user population (including employees, contractors, business partners, and customers) that is growing at an estimated 6.5 per cent per year. More than two out of five (43 per cent) of these applications are classified as likely to have a serious adverse affect on the business or its end-users in the event of a loss of its confidentiality, integrity or availability.

The average respondent annually invests nearly $400,000 (£248,000) on application security initiatives, an estimate which includes not only the technologies but also the people and process aspects of securing their Internet-touching enterprise applications.

On average, respondents estimate that about four out of five (82 per cent) of application vulnerabilities are discovered and remediated before deployment — which of course means that roughly one in five are not.

Figure 1, below shows the distribution of application security vulnerabilities that are discovered and remediated, by phase of the software development lifecycle. Best-in-Class companies remediate more (88.3 per cent) before deployment than Laggards (76.6 per cent) — and experience two-thirds fewer incidents as a result.

The problem is not necessarily that 20 per cent of application vulnerabilities are not discovered and remediated until after the applications have been deployed. The problem is that the total cost of remediating an actual application security-related incident is so high — about $300,000 (£186,000), across all respondents.

In other words, successful prevention of a single occurrence nearly offsets the total annual cost of the average organization's application security initiative. A high probability of occurrence, multiplied by a high cost per occurrence, is what gives credence to the argument that application security is free.

Figure 1: Discovering and Remediating Application Security Vulnerabilities

Source: Aberdeen Group, September 2010

1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams