Organizations Not Focusing Enough on Web App Security, Survey Finds
A survey of 638 IT pros suggests many organizations aren't taking Web application security as seriously as they should be.
The survey, performed by the Ponemon Institute and commissioned by Imperva and WhiteHat Security, found that 70 percent of the respondents felt their organizations do not allocate sufficient resources to secure critical Web applications. Some 73 percent said their senior executives were not strong supporters of Web app security efforts, and 71 percent said their organization does not consider it to be a strategic initiative across the enterprise.
This is problematic, since 51 percent reported that more than half of their organization's mission-critical business processes are accessible via the Web.
"Only within the last couple of years have we seen this activity really ramp up,"
Bill Pennington, chief strategy officer at WhiteHat, told eWEEK. "At first organizations looking to the existing network security vendors as a solution then realized those technologies simply do not work here...Unfortunately most organizations do not have any application security program, much less a lifecycle that includes security. This is what we mean by a strategic initiative - understanding what applications a company owns, what applications have access to what data, regular testing of production, Q&A (quality and assurance) and development along secure coding practices, developer training and (having) some type of visibility and control on the production network of application attacks."
Brian Contos, chief security strategist at Imperva, said businesses need a clear understanding of what regulations require, what the threat landscape and where the critical applications and databases are. Organizations also need to know what their databases contain, and focus on improving communication between security operations and app development teams, he added.
"Few developers have a security background, and few security professionals are application developers," Contos said. "We can't ask the race car driver to be the mechanic, and the mechanic to win the race with any semblance of success."