Two Days Left to get a GIAC Cert Attempt Included with Online Training through February 20!


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Speed of System Change and Application Security: Results of the SANS 2017 Application Security Survey

Fast-Moving Organizations Move Toward Automated Testing • Traditional Manual Tests Used to Supplement Automated Scanning/Testing

  • Bethesda, MD
  • October 11, 2017

Fast development is actually improving application security, according to results of a new survey to be released in a two-part webcast hosted by SANS Institute on Tuesday, October 24 and Wednesday, October 25. Organizations able to make changes to their code continuously, daily or weekly are also fixing more security vulnerabilities than their slower-moving competitors, and with better results.

Fast development has resulted in many other improvements, according to results, including:

  • Breaking down traditional silos
  • Moving more responsibility for security testing directly to developers or cross-functional teams
  • Building up end-to-end workflow automation, which integrates security into Agile and DevOps toolchains so they can test security faster and more often

"The speed of software development is accelerating, and the technologies organizations use to support businesses are becoming more diverse," says Jim Bird, SANS Analyst and author of the survey report. "Together, those variables radically change how development teams - and their security/risk management teams - think and work."

Roughly 43% of respondents' organizations are pushing out changes weekly, daily or continuously, which constitutes the fast-moving organizations. But speed doesn't necessarily mean that organizations are subject to more breaches. In fact, only 15% of this year's respondents reported experiencing a breach over the past two years.

Of those that were breached, the biggest sources of breaches continued to be public-facing web applications and Windows OS, closely followed by legacy applications (which are often left untested because security teams either aren't aware of them or don't have access to their source code). Custom applications are another common target of attack.

"The sources of breaches don't change that much," says Eric Johnson, Application Security Curriculum product manager at SANS. "But application security teams must adapt to the increasing speed of development to successfully control their risks."

Fast-moving organizations test more frequently. This leads to more automation and embedded review processes. In the survey, 54% of organizations are employing automated code review and Static Application Security Testing (SAST).

"The faster an organization wants to move, the more it needs automation," says Frank Kim, the SANS Management and Software Security Curriculum lead. "But that automation comes with some trade-offs."

While organizations can run many automated tests, those tests must be highly targeted, leaving room for vulnerabilities to slip through, he continues. "Periodic pen testing, in-depth manual reviews, configuration auditing, deep scanning and fuzzing are still needed to find errors that escape tight automated loops."

Full results will be shared during a two-part webcast at 1 PM EDT on both Tuesday, October 24 and Wednesday, October 25, sponsored by Rapid7, Synposys, Tenable, Veracode, and WhiteHat Security, and hosted by SANS. Register to attend the webcasts at and

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and application security expert, Jim Bird, with advice from Eric Johnson, Frank Kim and Barbara Filkins.

Tweet This:

SANS AppSec Survey 2-Part Webcast: Securing apps in a fast-paced world Oct 24 | Oct 25

Risks and rewards of fast-paced deployment cycles: Results of SANS AppSec survey revealed |

Learn how to protect containerized apps and mitigate breaches. Join us Oct. 25 |

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 30 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (