Organizations need to put more time, resources, and care into building and implementing their application security programs. In a recent survey we conducted of 28 large, mostly North American financial institutions, 75% of respondents stated that they regarded application security as a high or critical priority. Problems arise when organizations act on this threat.
According to the same survey, most companies allowed serious risks to persist in their application security practices, such as failing to apply proper standards to third-party software vendors, relying heavily or completely on insufficient scanning tools to find vulnerabilities, and focusing on the wrong metrics to judge the success of their application security programs.
Here is a list of common reasons why many application security programs fail: