Executives are out of touch and overconfident when it comes to their organizations' web application security practices, according to new research published today by Netsparker.
Netsparker teamed up with Dimensional Research to survey security professionals from 382 organizations worldwide about the maturity and effectiveness of web application security in their organizations. Respondents worked in roles spanning development, DevOps, and C-suite.
The survey found numerous areas where executives believe their organizations are more secure or adhere to best practices at a higher rate than security professionals deeper in the organization. While 75% of executives believe their organization scans all web applications for security vulnerabilities, nearly 50% of security staff said that this wasn't the case.
Researchers noted that for organizations that intentionally limit scanning to their most important applications, separating the results by role was eye-opening.
“While close to 32% of security staff admit to this practice, for executives this is just over 18%. This suggests that many executives may be in the dark about the criteria for selecting what to scan and when to scan it.”
The results of the survey, published in the report "New Vulnerability Found: Executive Overconfidence," appear to show that organizations' existing web application security efforts are insufficient. Researchers found that while over 60% of DevOps respondents said that new security vulnerabilities are being found faster than they can be fixed, only just over 40% of executives are aware of this situation.
Other disparities picked up by the survey relate to internal resistance and friction. While 20% of developers believe that development teams are resistant to incorporating security, close to half of security professionals say they encounter developer resistance.
Furthermore, just under 35% of developers report friction caused by security false positives, compared to over 54% of security staff.
"The survey shows a worrying disconnect between the theory and practice of web application security," said a spokesperson for Netsparker.
"While most organizations appreciate the importance of web security, many still don’t scan all their applications and an even greater number struggle to deal with vulnerabilities in a timely manner."