Security Experts:

Security Budgets Not in Line with Threats

Companies are investing resources and money into security programs to “protect” their organizations and ease the minds of their customers, but the  money and resources don’t appear to be in the right places. With security resources not being allocated to the right areas, threats and risks are not being effectively managed, leaving an open opportunity for large breaches like Heartland to occur through SQL injection or Cross-site scripting—methods that are becoming more and more prevalent. 

Web applications are being neglected and application security is being viewed as less important compared to other areas.  

This was the conclusion of a recent study  conducted by Imperva, WhiteHat Security and the Ponemon Institute titled, "The State of Application  Security." The report assessed the data security risk of insecure websites Jeremiah    Grossman, White Hat Securityand found that most businesses, despite having numerous mission-critical applications accessible via their websites, fail to efficiently allocate financial and technical resources to secure and protect Web applications, leaving corporate data vulnerable to theft.

"Most of the largest and recent data breaches to date have been a result of attacks against Web applications," explained Jeremiah Grossman, WhiteHat founder and CTO. "To address today's real cyber threats, companies must shift their security strategy - and budgets - from being predominately infrastructure-based and prioritize the data and applications directly."

Results of the study showed that:

• 18% of security budget are focused on threats posed by insecure Web applications

• 43% of IT security budgets are allocated to network and host security

• 61% of organizations have 100 or so public-facing Web applications with millions of important records

On the positive side, the study showed the majority of respondents believe that insecure Web applications present the greatest threat to corporate data. However, 70 percent noted that their organizations do not view application security as a strategic initiative, nor did they believe their organizations had sufficient resources specifically budgeted to Web application security to address the risk. "

Data security doesn't stop with network firewalls and anti-virus," explained Imperva CEO, Shlomo Kramer. "The cyber threat landscape has shifted from bringing down networks to stealing data, and it's time to stop fighting yesterday's war."

According to the Privacy Rights Organization, of the top 10 data breaches in 2009, 93 percent of compromised records were stolen as a result of malicious or criminal attacks against Web applications and databases. The Ponemon study found that 61 percent of responding organizations have up to 100 public-facing Web applications that transact or access data sensitive records. Most organizations have not made application security a high priority, the survey showed, and organizations say the vast majority of developers are too busy to respond to website security issues.

The study surveyed 627 IT and IT security practitioners from more than 400 multinational enterprises and government organizations.

"Our research confirms the overwhelming value of taking a strategic, prescriptive posture to the many challenges organizations face in protecting valuable data, including a greater than 60 percent rate of improvement in fixing known vulnerabilities," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. "Sadly, too many organizations remain paralyzed by the false notion that security is too complex a challenge. This study shows otherwise; there's no excuse for failing to make progress toward better security." -ML


A copy of the report is available at: http://2010survey.whitehatimperva.com/

view counter
For more than 10 years, Mike Lennon has been closely monitoring the treat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences.