- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Report: State of application security still stinks
In a phone call earlier today, Grant Murphy, VP of enterprise solutions at Barracuda, gave this sobering assessment:
"We were surprised by the intent for people to do good, but the reality is not catching up. A large percentage said web app security is a top priority, but then they try to use layer 4 firewalls to secure layer 7 items. It's like having an open sign on your website. Seventy-two percent admitted their sites have been hacked. The problem is staring them in the face but nothing is being done."
Let's look at the numbers behind his concerns:
--According to 74 percent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. "Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment," the report said.
"The fact that a quarter of respondents could not provide a range for how many Web applications they have is a huge red flag right off the bat," said Mandeep Khera, CMO for Cenzic, who was on the same call this morning. "Furthermore, that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their Web applications is shocking. And, most of these companies have been hacked multiple times through insecure Web applications. If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?"
--Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps. Job protection was also a significant reason cited by 15 percent of respondents.
--Despite 51 percent listing compliance as a key driver for Web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.
--With 41 percent reporting they have over 100 Web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.
--More than half (53 percent) expect their Web hosting provider to secure their Web applications.
--Of those respondents who own a Web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.
The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession. The full survey analysis can be found at http://www.cenzic.com/resources/reg-required/whitePapers/Ponemon2011/.
Read it and weep. Or, read it and do whatever you can in your small corner of the universe to make it better.
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Redefine Business Portability
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- Fighting Fraud Videos: IBM Intelligent Investigation Manager
- IBM Intelligent Investigation Manager: Online Product Demo
- Webinar: IBM IIM for Fraud, Abuse and Waste in Government