Web site attacks are the biggest concern for companies, yet 88 percent spend more on coffee than securing Web applications, according to a survey. Sixty-nine percent of organizations rely on network layer firewalls to protect their Web sites, leaving Web applications wide open for attack. Seventy-two percent of organizations test less than 10 percent of their Web applications for security holes, some knowing they have been hacked in the past.
According to 74 percent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment.
Other key findings:
-- Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps. Job protection was also a significant reason cited by 15 percent of respondents.
-- Despite 51 percent listing compliance as a key driver for Web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.
-- With 41 percent reporting they have over 100 Web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.
-- More than half (53 percent) expect their Web hosting provider to secure their Web applications.
-- Of those respondents who own a Web application firewall, nearly twice as many agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.
Comment from Dr. Paul Judge, chief research officer and VP for Barracuda Networks: While it is encouraging to see that Web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security. The fact that 69 percent of respondents are relying upon network firewalls to secure Web applications is like relying upon a cardboard shield for protection in a sword fight -- eventually your shield will prove that it's insufficient and an attack will reach you that can fly past a network firewall.
Comment from Mandeep Khera, CMO for Cenzic: The fact that a quarter of respondents could not provide a range for how many Web applications they have is a huge red flag right off the bat. Furthermore, that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their Web applications is shocking. And, most of these companies have been hacked multiple times through insecure Web applications. If you know that burglars come through a broken door repeatedly wouldn't you want to fix that door?
Comment from Dr. Larry Ponemon, chairman and founder, Ponemon Institute: While IT practitioners recognize the criticality of secure Web applications, their organizations do not provide adequate resources and expertise to manage the risk. Over half of the respondents we polled believe they do not have resources to detect and remediate insecure Web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.
About the survey: The Ponemon Institute conducted the "State of Application Security Survey," which reveals respondents' perceptions and experiences protecting Web applications.The results are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession.
Contact: Survey results are here.
No comments:
Post a Comment