Related Links

Top 5 Stories


Infosecurity Europe 2010: Organizations fall short on securing website applications

29 April 2010

IT security professionals in the US believe that their organizations lack proper investment in website application security, even though many of their websites contain ‘mission critical’ applications. This is according to a study conducted by the Ponemon Institute and sponsored by data security firm Imperva and WhiteHat Security, which tests websites for vulnerabilities.

The Ponemon Institute study, which surveyed 10 000 US-based IT professionals, found that 73% believe that senior executives within their organizations are not strongly committed to web application security initiatives. Moreover, 67% of the respondents felt that the portion of IT security budgets reserved for website security was insufficient.

The survey findings show that ‘proactive’ organizations, those that put a premium on web application security, tend to spend more than twice (25% vs. 12%) the amount as a portion of its IT security budget as non-proactive organizations with respect to application security. “This is particularly alarming given that the Web application layer is the number one attack target of hackers”, the report noted, citing data from a 2009 Verizon data breach report.

What the study results indicate is a disconnect between what management perceives as primary threats to organizational data and that of security professionals. “Traditionally organizations have the notion of application security being the responsibility of programmers” lamented Amichai Shulman, chief technology officer with Imperva. “Now they are finding out that most security application-layer vulnerabilities are not being addressed in the code because programmers are too busy doing other stuff.”

Infosecurity sat down with the Imperva CTO and WhiteHat Security chief executive Stephanie Fohn at this week’s Infosecurity Europe show in London, as the two shared results of the newly released study.

Another chief concern among those surveyed was the amount of time it takes their organizations to address security vulnerabilities of their website applications. Aside from the lack of sufficient resources dedicated to protecting these so-called ‘critical’ web apps, 34% said that urgent flaws are not fixed in a timely manner, with nearly 41% of these taking up to a week to be addressed and 29% about a month.

When asked why it takes so long for these web applications to be patched, 55% of those polled believed developers are simply too busy to address the security holes; a near-identical 56% said that application developers are in no way responsible for security.

“Security [personnel] are given the responsibility for securing websites, and yet all they can do is identify the problems”, said WhiteHat’s Fohn. “They can’t solve the problem – they have to throw it over the fence to the developers”. In the meantime, she added, websites remain at risk of penetration and are vulnerable to attacks such as depositing of malware onto sites and redirects to malware servers.

“People trust these websites implicitly”, Fohn remarked, adding, rather candidly, that “all you need is one cross-site scripting vulnerability and you’re screwed”.

This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×