The Ponemon Institute study, which surveyed 10 000 US-based IT professionals, found that 73% believe that senior executives within their organizations are not strongly committed to web application security initiatives. Moreover, 67% of the respondents felt that the portion of IT security budgets reserved for website security was insufficient.
The survey findings show that ‘proactive’ organizations, those that put a premium on web application security, tend to spend more than twice (25% vs. 12%) the amount as a portion of its IT security budget as non-proactive organizations with respect to application security. “This is particularly alarming given that the Web application layer is the number one attack target of hackers”, the report noted, citing data from a 2009 Verizon data breach report.
What the study results indicate is a disconnect between what management perceives as primary threats to organizational data and that of security professionals. “Traditionally organizations have the notion of application security being the responsibility of programmers” lamented Amichai Shulman, chief technology officer with Imperva. “Now they are finding out that most security application-layer vulnerabilities are not being addressed in the code because programmers are too busy doing other stuff.”
Infosecurity sat down with the Imperva CTO and WhiteHat Security chief executive Stephanie Fohn at this week’s Infosecurity Europe show in London, as the two shared results of the newly released study.
Another chief concern among those surveyed was the amount of time it takes their organizations to address security vulnerabilities of their website applications. Aside from the lack of sufficient resources dedicated to protecting these so-called ‘critical’ web apps, 34% said that urgent flaws are not fixed in a timely manner, with nearly 41% of these taking up to a week to be addressed and 29% about a month.
When asked why it takes so long for these web applications to be patched, 55% of those polled believed developers are simply too busy to address the security holes; a near-identical 56% said that application developers are in no way responsible for security.
“Security [personnel] are given the responsibility for securing websites, and yet all they can do is identify the problems”, said WhiteHat’s Fohn. “They can’t solve the problem – they have to throw it over the fence to the developers”. In the meantime, she added, websites remain at risk of penetration and are vulnerable to attacks such as depositing of malware onto sites and redirects to malware servers.
“People trust these websites implicitly”, Fohn remarked, adding, rather candidly, that “all you need is one cross-site scripting vulnerability and you’re screwed”.