Despite numbers showing that in 86% of all attacks a vulnerability in a Web application was exploited, a new study by the Ponemon institute found that only 18% of IT security budgets are allocated to protecting Web applications.
Network and host security are provided with hefty budgets, claiming 43% of the IT security pie even though they are only responsible for a small percentage of attacks, 14% by some numbers.
Some other numbers from, “The State of Application Security,” study show that:
Ironically, almost three-quarters of those who responded to the survey claim that web security is viewed as a strategic initiative in their organization.
A great deal of the study focused on the developer. Amazingly, most felt that the developer is not responsible for the security of their applications thus allowing the task to fall on the shoulders of those responsible for security in the organization.
Traditionally, IT security focuses on defending the network through host and workstation based methods. Tools like intrusion prevention systems and traditional firewalls are used to defend the network from specific attacks however these safeguards are virtually worthless at protecting attacks launched at the application layer. Knowing that traditional defenses can’t keep them out, attackers look towards holes found in most Web applications as a means of compromising data and resources.
When dissecting the numbers, it looks like fixing vulnerabilities in Web application code is just too much trouble. True, code reviews take a great deal of time to perform and cost a great deal of money. Throw into the mix that organizations may not always have access to the code because of proprietary applications or outsourcing and it is easy to see why so many vulnerabilities go unfixed.
However the difficulty involved does not excuse the organization from having to fix what is broken. Regulations like HIPAA and Sarbanes-Oxley were put in place to protect data in US based organizations. Worldwide compliance with the Payment Card Industry’s Data Security Standards (PCI DSS) is a must for any organization that processes credit card payments. Compliance with any of these regulations cannot be simply swept under the rug because it’s just too hard to do.
Astonishingly, 70% of organizations who have deployed a Web application firewall fix vulnerabilities within one week of discovering them. Used in tandem with secure coding techniques, Web application firewalls can provide logs and analysis of attack patterns to help developers locate vulnerabilities and fix them at a faster rate than if they were simply pouring through lines of code and using automated scanning tools because the Web application firewall produces data related to real attacks. Of course, all the while the WAF is protecting the organization’s data and resources from being compromised because it is stopping attackers at their most common point of entry, the Web application itself.