Insecure Web Applications Pose Greatest Threat to Data

WhiteHat Security
July 19, 2010 | COMMENTS

A survey by Imperva, WhiteHat Security, and the Ponemon Institute found that most businesses, despite having numerous mission-critical applications accessible via their websites, fail to allocate sufficient financial and technical resources to secure and protect Web applications, leaving corporate data vulnerable to theft.

According to the study, the majority of respondents believe that insecure Web applications present the greatest threat to corporate data.  However, 70 percent noted that their organizations do not view application security as a strategic initiative, nor did they believe their organizations had sufficient resources specifically budgeted to Web application security to address the risk. The study found that only 18 percent of IT security budgets were allocated to address the threat posed by insecure Web applications, while 43 percent of IT security budgets were allocated to network and host security, the areas respondents felt to be of least concern.

Of the top 10 data breaches in 2009, according to the Privacy Rights Organization, 93 percent of compromised records were stolen as a result of malicious or criminal attacks against Web applications and databases – most companies still remain significantly exposed.  The Ponemon study found that 61 percent of responding organizations have up to 100 public-facing Web applications that transact or access millions of customer records.  And yet, most organizations have not made application security a high priority.  The survey found that the vast majority of developers are too busy to respond to website security issues. 

“Most of the largest and recent data breaches to date have been a result of attacks against Web applications,” explained Jeremiah Grossman, WhiteHat founder and CTO. “To address today's real cyber threats, companies must shift their security strategy (and budgets) from being predominately infrastructure-based and prioritize the data and applications directly."

Recommendations

• You can't secure what you don't know you own. Inventory your Web applications to gain visibility into what data is at risk and where attackers can exploit the money or data transacted.
• Assign a champion. Designate someone who can own and drive data security and is strongly empowered to direct numerous teams for support. Without accountability, security, and compliance, will suffer. 
• Don't wait for developers to take charge of security. Deploy shielding technologies to mitigate the risk of vulnerable Web applications.
• Shift budget from infrastructure to Web application security. With the proper resource allocation, corporate risk can be dramatically reduced.

“Our research confirms the overwhelming value of taking a strategic, prescriptive posture to the many challenges organizations face in protecting valuable data, including a greater than 60 percent rate of improvement in fixing known vulnerabilities,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute.  “Sadly, too many organizations remain paralyzed by the false notion that security is too complex a challenge. This study shows otherwise; there's no excuse for failing to make progress toward better security.”

The Ponemon study surveyed 627 IT and IT security practitioners from more than 400 multinational enterprises and government organizations. For a copy of the complete report visit http://2010survey.whitehatimperva.com. To learn more about WhiteHat Security, visit www.whitehatsec.com.