Information Security Trends
SDLC and Security Go Hand In Hand for Large Enterprises
About This Report: A November survey of 390 members of the 451 Global Digital Infrastructure Alliance focused on key information security trends for DAST/SAST/IAST/RASP and SIEM/security analytics including inhibitors, top vendor attributes, and vendor ratings.
DAST/SAST/IAST/RASP Inhibitors. The biggest inhibitor for larger organizations is corporate culture rather than product complexity and lack of expertise which are the biggest hurdles for smaller organizations.
Security & SDLC. Large enterprises are prioritizing the usage of application security tools during their software development lifecycle (SDLC) to help eliminate and find vulnerabilities before an application goes into production.
Spending Strong. Respondents plan to see a spending increase for both DAST/SAST/IAST/RASP and SIEM/security analytics solutions over the next 12 months.
SIEM & Cloud. When it comes to cloud, 61% of large enterprises and 54% of small enterprises have been able to leverage their existing SIEM/security analytics solutions to work with their cloud infrastructure.
By Tracy Corbo
DAST/SAST/IAST/RASP. Adoption of DAST/SAST/IAST/RASP security tools is slightly higher for organizations with over 1,000 employees (55%). Of the organizations with fewer than 1,000 employees, 15% are in pilot or proof of concept, but one-third (31%) of those respondents have no plans to adopt. These same organizations are more likely to have dedicated application development capabilities in house.
SIEM. The adoption rate for security information and event management (SIEM)/security analytics solutions is high. A solid 85% of organizations with more than 1,000 employees report the technology in-use, and only 1% of those respondents have no plans to adopt.
For organizations with less than 1,000 employees, 65% are currently using the technology and another 23% are in pilot/proof of concept. Only 4% of those respondents have no plans to adopt.
Dynamic/Static/Interactive/Runtime Application Security Tools – (DAST/SAST/IAST/RASP)
This section covers the implementation status and plans for Dynamic Application Security Tools (DAST), Static Application Security Tools (SAST), Interactive Application Security Testing (IAST), and Runtime Application Self-Protection (RASP) solutions for application security. This section only includes respondents with those solutions either in-use or in pilot.
Inhibitors. Respondents were asked what inhibitors they have encountered in adopting or fully utilizing this technology. The biggest inhibitor for larger organizations is corporate culture rather than product complexity and lack of expertise, which are the biggest hurdles for smaller organizations.
Security and SDLC. According to Daniel Kennedy Research Director, Voice of the Enterprise: Information Security, “Security practitioners, alongside code quality research in general, have long noted that if security defects could be removed in applications at the earliest possible point in their development, the cost and effort would be at its most efficient and the shared impact of introduced vulnerabilities lessened. But it’s hard to introduce new testing and a new source of defects into a development lifecycle already under immense delivery pressure.”
Respondents were asked whether they run their application security vendor’s tools during different phases of the software development lifecycle (SDLC). Only 34% of smaller enterprises use application security tools for testing new code.
In sharp contrast, large enterprises are prioritizing the usage of application security tools during their SDLC and 63% are using them to test new code and find vulnerabilities before an application goes into production.
Leveraging Tools in Other Areas. In addition to scanning in-house-developed products, respondents were asked if they leverage their investment in their application security vendor’s products to conduct application security evaluations in any others areas of IT.
Both large and small enterprises are leveraging their investments across other areas of IT, especially with regard to other vendor products and SaaS applications. Large enterprises are employing security solutions more across both third-party partners and cloud hosted applications.
Tool Allocation. In terms of how these tools are allocated across the various IT teams, the security team is the predominate group (45%); appdev accounts for 31% and another 17% is QA.
Top Attributes. While the top attribute for both small and large enterprises is report/vulnerability guidance quality, it is of greater importance to smaller enterprises. Large enterprises place value on that as well, but place equal importance on programming languages/platforms coverage.
Because smaller enterprise typically lack the deep technical expertise of larger organizations, for them, the second most important attribute is technical support/expertise.
Vendors. When asked about which vendors their organizations were using for DAST/SAST/IAST/RASP, there is a noticeable difference in preference among small and large enterprises. Where smaller enterprises favor open source (38%), larger enterprises prefer HP/Micro Focus (42%). IBM figured into the top three for both groups.
Vendor Ratings. Respondents were asked to rate their vendor for DAST/SAST/IAST/RASP on a set of attributes using a 10-point scale where 0 is ‘poor’ and 10 is ‘excellent.’ Overall ratings across all categories fell into the moderate range with smaller organizations being overall more satisfied than their larger counterparts.
12-Month Spending Plans. A strong majority of these respondents plan to increase spending over the next 12 months with about half of both groups planning a 1-25% spending increase. Just over 20% of smaller organizations are planning on a slightly higher spending increase of 26-50% over the next 12 months.
Security Information and Event Management (SIEM)/Security Analytics
This section covers the implementation status and plans for SIEM/security analytics. This section only includes respondents with those solutions either in-use or in pilot.
Inhibitors. Respondents were asked what inhibitors they have encountered in adopting or fully utilizing this technology. Both groups see lack of staff expertise as a top inhibitor. However, complexity when it comes to setting up the solution (30%) was more of an issue for smaller organizations, while larger ones cited inadequate staffing (35%) second.
Cloud. When it comes to cloud, 61% of large enterprises and 54% of small enterprises have been able to leverage their existing SIEM/security analytics solutions to work with their cloud infrastructure. Meanwhile, 40% of small and 37% of large organizations said they had not been able to do so.
Vendors. Taking a look at the five most popular SIEM vendors, the top choice by far for large enterprises is Splunk (42%), and to a lesser degree for smaller organizations (25%). Open source (22%) is second for smaller organizations, while HP Arcsight/Micro Focus (24%) is more predominate in large organizations.
Vendor Ratings. Respondents were asked to rate their vendor for SIEM/security analytics on a set of attributes using a 10-point scale where 0 is ‘poor’ and 10 is ‘excellent.’ Overall ratings across all categories are in the higher end of the moderate range compared to the ratings for DAST/SAST/IAST/RASP vendors, which are slightly lower especially for large organizations.
You can access a PDF version of this 451 Alliance report here.
If you have any questions about your 451 Alliance membership, please contact 451Alliance@451Alliance.com
451 Research, LLC does not make any warranties, express or implied, as to the information presented in this report.
1411 Broadway Suite 3200, New York, NY 10018