WIXLIB

Enterprise Software Security StrategiesSummary Results October 2014

Program Overview Between June and September, 2014, Gatepoint Research invited IT andSecurity executives to participate in a survey themed Enterprise SoftwareSecurity Strategies. Candidates were invited via email and 300 executives have participatedto date. Management levels represented were predominantly senior decisionmakers: 22% held the title CxO or VP; 56% were Directors, and 22% wereManagers or Analysts. Survey participants represent firms from a wide range of industriesincluding business, financial, and consumer services, education,healthcare, media, and manufacturing. 50% of the responding organizations are in the Fortune 1000. 18% hadannual revenues between 500 million and 1.5 billion, 8% between 250 and 500 million, and 21% less than 250 million. 100% of responders participated voluntarily; none were engaged usingtelemarketing.Summary Results October 2014

Observations and Conclusions Application-related security breaches are a primary concern for surveyed IT andsecurity executives: 68% report that they are “very” or “critically concerned” aboutsecurity issues within its applications. Risk is exacerbated through the deployment of externally developed software thatcan’t be easily controlled: 63% use large commercial applications and develop custom components forthose applications. 34% deploy a large number of apps that are developed by third parties; 23% saymore than half of their code is developed externally Additionally, a high number of organizations rely on outsourced developmentincluding open source with 47% saying more than a quarter of their applicationsare developed externally Despite these risks, outdated approaches to security persist: While 74% of responders report that they are doing some penetration testing(with a majority of testing being outsourced) for assessing the security of the webapplications, a majority of enterprises (66%) focus on perimeter defenses(firewalls, encryption, virus protection), but have not invested in softwaresecurity.Summary Results October 2014

Observations and Conclusions Stakeholder buy-in is a major hurdle to software security – 48% cite itas a top challenge to achieving software security goals. Otherchallenges include: Understanding the full risk in the portfolio (42%) Keeping up with demand for deploying new apps (51%) Confidence in software security is generally low: 52% admit to feeling not particularly upbeat or generally negativeabout the security of the software running in their business. When asked about how they feel about the future of cyber attacksand hacking sophistication, 59% say every security professionalneeds to be on their game and 47% report that threats areexpanding. Despite the lack of confidence in the current security situation, seniormanagement is waking up to security of business software andapplications as a serious issue: 50% say they are beginning to set clear objectives and goals forbusiness software and applicationsSummary Results October 2014

How does your organization currently procure, build,and integrate software applications?We use large commercial applicationsand develop custom components63%We do a lot of custom in-house development61%We deploy a large number of appsthat are developed by third parties34%We leverage open-source25%We develop apps externally14%0%10%20%30%40%50%60%70%Surveyed organizations use a lot of customization to build, and integrate softwareapplications: 63% use large commercial applications and develop custom components; 61%do a lot of Resultscustom in-housedevelopment.2014Summary OctoberCopyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.

What percentage of apps are developed externally?N/A7%75 to 100%9%50 to 75%15%0 to 25%45%25 to 50%24%47% develop more than a quarter of their apps externally,and of those23% developmorethan halftheir apps externally.2014SummaryResults OctoberCopyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.

An estimated 84% of all security breaches are application-related, not firewall violations.To what extent is your organization focused on addressing security issues in its applications?(Rate on a scale of 1-5, 1 unconcerned, 5 criticallyN/A2%4 or 5 –Criticallyconcerned69%322%25%430%5 Criticallyconcerned39%1 Unconcerned2%69% report that they are very or critically concernedabout securityissuesin its applications.2014SummaryResults OctoberCopyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.

What are you doing to improve security at the application level?% of Penetration Testing OutsourcedPenetration testing74%Focused on perimeter defenses,(firewalls, encryption, virus protection,etc.,) N/A12%67%Periodic code reviews0 to 25%28%55%Use a 3rd party auditor52%75 to 100%30%Investigating software security solutions37%Full scale software security testingprogram in place25 to 50%13%35%0%10% 20% 30% 40% 50% 60% 70% 80%50 to 75%17%Top method for improving security at the app level is penetration testing (74%).47% outsourcemore thanhalf theirpenetration testing.2014Summary Results OctoberCopyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.

Which software security products or solutions are you using to help protect thecode of your custom-developed applications?None39%IBM AppScan20%Other19%HP Fortify SCA16%HP WebInspect15%Coverity5%Don't know / can't say3%Veracode2%0%5%10%15%20%25%30%35%40%An astonishing 39% admit that their organization is not using anysoftware securityproductsor solutionsto lock2014down custom code.SummaryResults OctoberCopyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.45%

What are the top challenges you face inachieving your software security goals?Keeping up with the business demandsfor deploying new applications51%Getting various stakeholders to agreeon software security goals and priorities48%Getting our arms around the complete application portfolioand which applications present the highest risk to our business42%Finding security testing products that are easy to use27%Hiring and training qualified staff8%Executive level support5%0%10%20%30%40%50%60%Stakeholder buy-in (48%), understanding the full risk in the portfolio (42%), and keeping upwith demand for deploying new apps (51%) are top challenges cited with regards to achievinggoals.2014SummarysoftwareResultssecurity OctoberCopyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.

In light of the challenges you’ve identified, how do you feelabout the security of the software running your business?Rate on a scale of 1-5, (1 I have no idea and I’m afraid to find out. 5 I know with confidencewhich applications put us at risk because they lack the code to protect us against attacks.)5 Absolutely know whichapps are risky becausethey don't have the rightcode to protect againstattack11%435%1 No idea /afraid to find out2%210%1, 2, 3 – Not particularlyupbeat to generallynegative52%341%52% admit to feeling not particularly upbeat or generally negativeabout the securityof Resultsthe softwarerunningin their business.2014Summary OctoberCopyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.

What do you feel is the future of cyber attacks, hacking sophistication, etc.?Cloudy future. Every securityprofessional must be on their game59%Dark. The threats are expanding and very, very clever47%Hard to say. Seems we get good, they get good33%The trend is fewer attacks, better defenses, smarter resources6%The good guys will eventually win by outwitting the bad guys2%0%10%20%30%40%IT security execs expect to see increased cyber attacksandexpandingsophisticationin hacking.SummaryResults October 2014Copyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.50%60%70%

How does senior management regard application security?We are beginning to set clear objectives and securitygoals for the software and applications that run our business50%Headline-grabbing breeches in our industry have them alarmed37%Recent incidents have gotten their attention34%We are always fighting for funds to support application security22%Not on the radar9%0%10%20%30%40%50%60%Senior management is waking up to security as a serious issue – 50% say they arebeginning to set clearSummaryobjectivesResultsand goalsfor business2014 software and applications. OctoberCopyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.

Profile of Responders:Industry SectorsMfg - General8%Wholesale Trade5%Retail care11%FinancialServices26%Mfg - High Tech12%Responders come from a wide range of industriesSummary Results October 2014Copyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.

Profile of Responders:Revenue 1.5billion48% 500 million – 1.5 billion, 18% 250 - 500 million,8% 250 million, 21%Responders represent companies from a wide range of revenue sizes.Summary Results October 2014Copyright 2014 Gatepoint Research. All rights reserved. The information contained in this report is the sole property of Gatepoint Research and may not beused, reproduced, redistributed in any form including, but not limited to, print and digital form without the express written consent of Gatepoint Research.