The "State of Web Application Security Survey" (PDF), conducted by the Ponemom Institute and sponsored by security vendors Barracuda Networks and Cenzic, shows a clear disconnect between the growing threat posed by Web application-related attacks and the relatively small effort by enterprises to defend against them.
"Companies know they're being hacked and that a lot of the attacks come through Web applications," says Paul Judge, chief research officer at Barracuda Networks. "Yet in most cases, they spend very little of their time and resources on app security."
Mandeep Khera, chief marketing officer for Cenzic, agreed. "Security departments tend to be given a single bucket of money for security, usually about 6 to 7 percent of the overall IT budget, and this is what they have to work with," he observes. "What we see is that a lot of them spend most of that money on network security, such as firewalls and IDS, and they mistakenly believe that those systems will protect them."
According to the survey, 88 percent of enterprises said they spend more on coffee per employee than they spend on application security. Seventy-two percent of organizations test less than 10 percent of their Web applications for security holes, even knowing those applications have been hacked in the past.
Sixty-nine percent of respondents say they are relying on network firewalls to secure Web applications, even though such firewalls do little to prevent application-level attacks, the study says.
Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps, according to the study. Yet while compliance is a major driver, 43 percent of respondents said they are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.
While 41 percent of respondents reported they have 100 Web applications or more, the majority (66 percent) test fewer than than 25 percent of these applications for vulnerabilities.
"Companies need to learn that they have to assess all of their applications for security vulnerabilities, not just the top five," Khera says. "You can't do partial open heart surgery -- you have to do all of it. If you only screen a few of your Web applications, the attackers will just get in through the others."
There is some question as to whom is responsible for Web application security within the organization, the study shows. More than half of respondents (53 percent) said they expect their Web hosting provider to secure their Web applications. Even within the organization, many IT departments are unsure whether the security function is handled by the security team, the app development team, or someone else, Judge observes.
Organizations should take a dual approach to securing Web applications, using application scanning to identify vulnerabilities and deploying Web application firewalls to help protect enterprise data until the applications can be remediated, Khera says.
"Application security is not as big a monster as many people think," Khera adds. "There are tools out there that can help, even if your budget is limited."
Have a comment on this story? Please click "Make a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.