Ponemon Institute’s Reducing Enterprise Application Security Risks: More Work Needs to Be Done looks at the reasons why many enterprises consider the application layer to be the highest security risk. Ponemon Institute, in partnership with WhiteSource, surveyed 634 IT and IT security practitioners about their enterprises’ approach to securing applications. For this study, enterprise application security refers to the protection of applications from external attacks, privilege abuse, and data theft.
More than ever before, enterprises are concerned about application security. According to the survey, the top concern was hacks to insecure applications, with almost half of high-performing enterprises citing it as their greatest overall threat.
What Kinds of Hacks Concerns Your Organization the Most?
At any one point in time, an average of 2,672 business applications are deployed within the organizations represented in this research, and 30 percent of these applications are considered business critical. Securing all these disparate applications is no easy feat.
The good news is that more organizations are beginning to make application security a priority as shown by the adoption of a wide range of application security testing (AST) tools.
How does your organization secure applications?
More than one answer permitted
Despite this increase in investment, many respondents reported a significant gap between the perceived risk of application security and the actual budget allocated to address it. More money is still being spent on network security even though the majority of those surveyed say it represents a lesser risk.
Gaps in Security risks and the allocation of spending
Why are applications such a big security risk? According to the enterprises surveyed, application security is challenging because current solutions don’t offer fast remediation of vulnerable applications and also suffer from a high rate of false positives. Furthermore, monitoring, detecting, and preventing attacks at the application level is still difficult. Unfortunately, the problem is only getting worse. The majority of respondents say in the past year alone that their enterprises’ portfolio of applications has become more vulnerable to attack.
Why is it difficult to remediate vulnerabilities in applications?
More than one answer permitted.
The research shows several reasons why business-critical applications continue to be at risk and why more work needs to be done:
Some enterprises are more successful in reducing their overall risk when it comes to application security. In the report, we call them “high performers.” These enterprises follow several best practices to reduce their application security risk.
To better secure their applications to reduce risk, these organizations take the following steps:
The bottom line is that successful enterprises are those that make application security a priority throughout the SDLC from the very first stages of planning and development through to applications in production. Reducing application security risk depends in large part on an organization’s willingness to invest resources in it. Those that are most successful are both continuously detecting and remediating vulnerabilities using robust AST tools and have development and security teams that are constantly collaborating to secure the enterprise.