Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Enterprises Falling Short On App Security, Ponemon Study Says

Most organizations have been hacked, yet 88 percent still spend more on coffee than on app security

Ninety-three percent of organizations have been hacked at least once in the past two years through insecure Web applications, according to a study released Tuesday. Yet the same study says 88 percent of enterprises spend more on coffee than on securing Web applications.

The "State of Web Application Security Survey" (PDF), conducted by the Ponemom Institute and sponsored by security vendors Barracuda Networks and Cenzic, shows a clear disconnect between the growing threat posed by Web application-related attacks and the relatively small effort by enterprises to defend against them.

"Companies know they're being hacked and that a lot of the attacks come through Web applications," says Paul Judge, chief research officer at Barracuda Networks. "Yet in most cases, they spend very little of their time and resources on app security."

Mandeep Khera, chief marketing officer for Cenzic, agreed. "Security departments tend to be given a single bucket of money for security, usually about 6 to 7 percent of the overall IT budget, and this is what they have to work with," he observes. "What we see is that a lot of them spend most of that money on network security, such as firewalls and IDS, and they mistakenly believe that those systems will protect them."

According to the survey, 88 percent of enterprises said they spend more on coffee per employee than they spend on application security. Seventy-two percent of organizations test less than 10 percent of their Web applications for security holes, even knowing those applications have been hacked in the past.

Sixty-nine percent of respondents say they are relying on network firewalls to secure Web applications, even though such firewalls do little to prevent application-level attacks, the study says.

Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps, according to the study. Yet while compliance is a major driver, 43 percent of respondents said they are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.

While 41 percent of respondents reported they have 100 Web applications or more, the majority (66 percent) test fewer than than 25 percent of these applications for vulnerabilities.

"Companies need to learn that they have to assess all of their applications for security vulnerabilities, not just the top five," Khera says. "You can't do partial open heart surgery -- you have to do all of it. If you only screen a few of your Web applications, the attackers will just get in through the others."

There is some question as to whom is responsible for Web application security within the organization, the study shows. More than half of respondents (53 percent) said they expect their Web hosting provider to secure their Web applications. Even within the organization, many IT departments are unsure whether the security function is handled by the security team, the app development team, or someone else, Judge observes.

Organizations should take a dual approach to securing Web applications, using application scanning to identify vulnerabilities and deploying Web application firewalls to help protect enterprise data until the applications can be remediated, Khera says.

"Application security is not as big a monster as many people think," Khera adds. "There are tools out there that can help, even if your budget is limited."

Have a comment on this story? Please click "Make a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-1070
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
CVE-2021-1071
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...
CVE-2020-23774
PUBLISHED: 2021-01-26
A reflected XSS vulnerability exists in tohtml/convert.php of Winmail 6.5, which can cause JavaScript code to be executed.
CVE-2020-23776
PUBLISHED: 2021-01-26
A SSRF vulnerability exists in Winmail 6.5 in app.php in the key parameter when HTTPS is on. An attacker can use this vulnerability to cause the server to send a request to a specific URL. An attacker can modify the request header 'HOST' value to cause the server to send the request.
CVE-2021-3309
PUBLISHED: 2021-01-26
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,