Software Integrity

 

GovWare 2018 survey: Challenges include resources and open source use

In September 2018, Synopsys Software Integrity Group, Asia Pacific, participated in the 27th edition of GovernmentWare. The GovWare conference anchors Singapore International Cyber Week, which promotes the development and innovation of the cyber ecosystem through international and regional collaboration and cooperation. SICW draws thousands of cyber security practitioners from around the world, and this year was no exception: SICW 2018 participants included 60 speakers, 250 sponsors and exhibitors, and over 8,000 cyber security experts, leaders, and practitioners from over 50 countries.

GovWare 2018 survey highlights

With so many practitioners representing a wide range of organizations located across a vast geography, GovWare is an ideal venue to evaluate the current state of cyber security practices and concerns. So we surveyed 251 attendees—25 C-level executives, 14 other executives, 136 practitioners in middle management, and 76 others (including those in media, education, and so on)—about cyber security in their organizations. Here are some highlights (see the full GovWare 2018 survey results below):

Lack of open source management raises a red flag

GovWare 2018 survey: Challenges include resources and open source use

Most respondents (57%) either said their organizations had no process for inventorying or managing open source use (30%) or denied that their organizations used open source at all (27%). These responses are particularly troubling, considering the widespread use of open source across all sectors. If organizations don’t know what open source they use—or mistakenly believe they don’t use open source at all—they can’t monitor it for newly discovered vulnerabilities, and they can’t apply patches.

Also, just because you can consume open source code freely doesn’t mean you can redistribute it freely. Many popular open source licenses require that any software containing the licensed code carry the same license—in other words, the source code has to be made public. Organizations expose themselves to significant risk in terms of both data breaches and loss of IP by not regularly scanning their software to evaluate its contents.

Security awareness is up, but challenges remain

The good news is that nearly three-quarters of respondents (71%) said their organizations have an incident response plan in place to deal with a cyber attack. Even more (83%) said their organizations offer cyber security training for all employees (mostly mandatory formal training, at 53%). And a full 90% of respondents said their organizations have an application security process. The increase in these numbers year over year is a promising trend. But it’s a little surprising that even in 2018, a full 13% of respondents said their organizations do not have an incident response plan (and 16% weren’t sure). Also notable is that 10% of respondents said their organizations do not have a formal AppSec process (performed by either a dedicated internal team or a third-party vendor).

The similarity between the “no incident response plan” group and the “no formal AppSec process” group might not be a coincidence. It’s plausible that an organization without the resources for a formal AppSec process would also struggle with incident response, and vice versa. But is lack of resources the real explanation? What exactly is keeping these organizations from closing such critical gaps in their security programs? Respondents answered this question loud and clear: 56% said that lack of skilled security personnel or training was a challenge their organizations faced in implementing an application security program. Far fewer respondents mentioned budget (18%) or lack of management buy-in (17%).

Full survey results

While some of the results aren’t surprising, some are thought-provoking, and others are flashing warning signs. They’re worth digging into to see emerging trends. See the full GovWare 2018 survey results below, with the number of qualified respondents given for each question and answer choice. Note that some questions allowed for multiple responses, so percentages might add up to more than 100.

How would you rate the risk of attack to your organization? (249 participants)
  • 32% High-risk organization with a broad, mature security program (79)
  • 10% High-risk organization with a less mature security program (25)
  • 39% Medium risk (97)
  • 19% Low risk (unlikely or too small a target) (47)
What is your top security concern? (209 participants)
  • 49% Threat/breach detection (103)
  • 36% Protecting data and IP (76)
  • 14% Regulatory compliance (30)
Which types of applications and systems present the highest security risk to your organization? (246 participants)

Multiple responses allowed

  • 36% Customer-facing web applications (89)
  • 25% Mobile applications (62)
  • 24% Desktop applications (59)
  • 16% Embedded or IoT systems (40)
  • 26% Internal-facing web applications (63)
Which statement below best describes your organization’s approach to application security? (248 participants)
  • 35% We have a dedicated, internal application security team or initiative (87)
  • 7% We use a third-party vendor to assess and secure our applications (18)
  • 47% We have a combination of an internal team/initiative and a third-party vendor (117)
  • 10% We have no formal application security process in place currently (26)
Do you have an incident response plan in place to deal with a cyber attack on your organization? (251 participants)
  • 71% Yes (179)
  • 13% No (33)
  • 16% Not sure (39)
What is your organization’s approach to using open source software components/frameworks? (243 participants)
  • 43% We have an established process to inventory and manage open source code (104)
  • 30% We use open source but do not have a process to inventory or manage its use (74)
  • 27% We do not use open source code (65)
What challenges do you face in implementing an application security program? (247 participants)

Multiple responses allowed

  • 56% Lack of skilled security personnel or training (138)
  • 18% Little to no budget (45)
  • 17% Lack of management buy-in (43)
  • 22% No challenges (54)
Do you offer cyber security awareness training for all employees? (250 participants)
  • 53% Yes, mandatory formal training with a test (133)
  • 30% Yes, informal documented policies (74)
  • 17% No (43)
Equip your staff with the security skills they need.
 

More by this author