Healthcare application-security-practices-survey-veracode
1 like1,097 views
The document provides insights from a survey conducted on application security practices in the healthcare industry, highlighting key trends such as the proportion of internally developed applications and the budget allocated for securing them. It reveals that many healthcare applications are not being effectively tested for security vulnerabilities, with significant gaps identified across various application types. The survey also emphasizes the need for increased executive commitment and outlines projected changes in security spending and application development over the coming year.
Healthcare application-security-practices-survey-veracode
- 1. Application Security Best Practices SurveyInsights for the Healthcare Industry
- 2. 2 Application Security Benchmark Survey Insights for the Healthcare Industry •About this survey •What is being developed by enterprises? •What is not being tested? •How will things change in 12 months? •Executive commitment •A plan to close the gap
- 3. 3 About The Survey •Conducted by IDGResearch from May-June 2014 •Respondents: -100 US -100 UK -106 Germany & Switzerland 26% 5% 6% 6% 8% 9% 11% 14% 16% Other Telecommunications Retail, Wholesale Healthcare, Medical, Biotech, Pharmaceuticals Advertising, PR, Marketing Business services, Consulting Manufacturing & Distribution Computing (HW, SW, Services) Financial services (banking, accounting,insurance) 0% 10% 20% 30% 17% 27% 16% 21% 18% $500 million - $999.9 million $1 billion - $2.9 billion $3 billion - $4.9 billion $5 billion - $9.9 billion $10 billion or more
- 4. What is being developed by enterprises?
- 5. 5 Healthcare enterprise application portfolio Internally Developed vs. Externally Sourced Internally developed Sourced from commercial software vendor Outsourced (developed by third party) 34% 42% 24% Source: Veracode and IDGResearch Services Q1. With the total equal to 100%, please estimate what proportion of your organization’s total enterprise application portfoliois internally developed vs. externally-developed/ sourced? Healthcare Base: 18 Average number of internally developed enterprise applications 1829 Source: Veracode and IDGResearch Services Q9. How many internally developed enterprise applications are currently deployed within your organization? Healthcare Base: 18
- 6. 6 Taxonomy of internally developed applications Source: Veracode and IDGResearch Services Q3. With the total equal to 100%, approximately what percent of your internally developedenterprise application portfolio falls into the following application architecture categories? Healthcare Base: 18 31% 25% 22% 24% Mobile Applications Web Applications Client/Server Applications Terminal Applications HEALTHCARE
- 7. What is being spent on securing internally developed applications?
- 8. 8 Security spending on internally developed enterprise applications HEALTHCARE 0% 17% 22% 17% 11% 22% 11% 0% 0% 35% Less than $100,000 $100,000 to $249,999 $250,000 to $499,999 $500,000 to $749,999 $750,000 to $999,999 $1M to $2.49M $2.5M to $4.9M $5M or more $1.12M Source: Veracode and IDGResearch Services Q7a. Please estimate your organization’s overall spend on application security for internally developed applications? Total Healthcare Base: 18
- 9. 9 Breakdown of application security spending on internally developed applications HEALTHCARE Penetration Testing SAST DAST Application Discovery/Inventory 20% 26% 31% 22% Source: Veracode and IDGResearch Services Q7b. Approximately what percent of your organization’s application security budget for internally developed applications is spent on the following: Healthcare Base: 18
- 10. What is not being tested?
- 11. 11 Internally developed applications not tested for security vulnerabilities Source: Veracode and IDG Research Services Q5a. For each application architecture listed below, approximately what percentage of your organization’s internally developed applications do you test for security vulnerabilities? (Total does not have to add up to 100%) Healthcare Base: 18 HEALTHCARE MOBILE APPLICATIONS 63% not tested for vulnerabilities WEB APPLICATIONS 57%not tested for vulnerabilities TERMINAL APPLICATIONS 64%not tested for vulnerabilities CLIENT/SERVER APPLICATIONS 59%not tested for vulnerabilities ALL APPLICATIONS 60%not tested for vulnerabilities A
- 12. 12 Importance of closing the gaps in application security testing HEALTHCARE Source: Veracode and IDG Research Services Q5b. For each application architecture listed below, how important is it for your organization to close the gaps in coverage and move closer to testing 100% of your internally developed applications for security vulnerabilities? Healthcare Base: 18 87% MOBILE APPLICATIONS (N = 15) 80% WEB APPLICATIONS (N = 15) 69% CLIENT/SERVER APPLICATIONS (N = 16) 69% TERMINAL APPLICATIONS (N = 16) Respondent organizations reporting less than 100% coverage citing a critical or very important need to close gaps in coverage:
- 13. How will things change in 12 months?
- 14. 14 Changes in application security programs: 12 month projection for Healthcare industry Source: Veracode and IDGResearch Services Q5a. For each application architecture listed below, approximately what percentage of your organization’s internally developed applications do you test for security vulnerabilities? (Total does not have to add up to 100%) Healthcare Base: 18 2.92% average increase Change in security spend for internally developed applications (or 177 new apps) Average growth of internally developed applications 9.7% average increase Estimated 2015 Budget: $1.15M Estimated 2015 Need: $3.11M To test all current and new applications with existing approaches $1.95M Average gap between need and budget Source: Veracode and IDGResearch Services Q8. How do you expect your organization’s overall spending on application security for internally developed enterprise applications to change over the next 12 months? Healthcare Base: 18
- 16. 16 Executive commitment to application security testing HEALTHCARE Executives have mandated an enterprise-wide program and are tracking implementation Executives are aware of but have not mandated an enterprise-wide program Executives are interested in application security for business critical applications only Executives have little interest in application security programs 44% 28% 28% 0% Source: Veracode and IDGResearch Services Q9. Which of the following most accurately describes the level of executive commitment to application security testing (for internally developed applications) within your organization? Healthcare Base: 18
- 17. 17 A Plan to Close the Gap* Anticipated spending increases are dramatically lower than the minimum spending increase that IDGdetermined is required to close the gap. Simply extrapolating the existing assessment approaches to close the gap puts the CSOin an untenable budgetary situation. The key is rethinking these elements: •How security gets built into applications as they are being developed •How to build in security at the scale and pace required to support the more than 340 anticipated new applications that enterprises, on average, will develop in the next 12 months •How to build in security so that it lowers the financial burden of proactively managing risk By seeking out best practices for implementing application security at scale, CIOsand CSOscan use their expected budget increases for initiatives that tackle their existing gap in a significant way. * Except from “Why Application Security is a Business Imperative” IDGResearch, Aug 2014
- 18. Start the assessment http://www.veracode.com/application-security-assessment