Website attacks are the biggest concern for companies, yet 88 percent spend more on coffee than securing Web applications, according to a survey by Barracuda Networks, Cenzic and the Ponemon Institute.
According to 74 percent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment.
“While it is encouraging to see that Web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks.
“The fact that 69 percent of respondents are relying upon network firewalls to secure Web applications is like relying upon a cardboard shield for protection in a sword fight – eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall,” he added.
“The fact that a quarter of respondents could not provide a range for how many Web applications they have is a huge red flag right off the bat,” said Mandeep Khera, CMO for Cenzic. “Furthermore, that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their Web applications is shocking. And, most of these companies have been hacked multiple times through insecure Web applications. If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?”
Other key findings in the study include:
- Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps. Job protection was also a significant reason cited by 15 percent of respondents.
- Despite 51 percent listing compliance as a key driver for Web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.
- With 41 percent reporting they have over 100 Web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.
- More than half (53 percent) expect their Web hosting provider to secure their Web applications.
- Of those respondents who own a Web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.
“While IT practitioners recognize the criticality of secure Web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure Web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.”