Report: State of application security still stinks

Barracuda Networks, Cenzic and the Ponemon Institute unveil the results their State of Application Security Survey — and the results are as bad as you’d expect.

In a phone call earlier today, Grant Murphy, VP of enterprise solutions at Barracuda, gave this sobering assessment:

“We were surprised by the intent for people to do good, but the reality is not catching up. A large percentage said web app security is a top priority, but then they try to use layer 4 firewalls to secure layer 7 items. It’s like having an open sign on your website. Seventy-two percent admitted their sites have been hacked. The problem is staring them in the face but nothing is being done.”

Let’s look at the numbers behind his concerns:

–According to 74 percent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. “Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment,” the report said.

“The fact that a quarter of respondents could not provide a range for how many Web applications they have is a huge red flag right off the bat,” said Mandeep Khera, CMO for Cenzic, who was on the same call this morning. “Furthermore, that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their Web applications is shocking. And, most of these companies have been hacked multiple times through insecure Web applications. If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?”

Meanwhile:

–Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps. Job protection was also a significant reason cited by 15 percent of respondents.

–Despite 51 percent listing compliance as a key driver for Web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.

–With 41 percent reporting they have over 100 Web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.

–More than half (53 percent) expect their Web hosting provider to secure their Web applications.

–Of those respondents who own a Web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession. The full survey analysis can be found at http://www.cenzic.com/resources/reg-required/whitePapers/Ponemon2011/.

Read it and weep. Or, read it and do whatever you can in your small corner of the universe to make it better.

–Bill Brenner