Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Security Budgets Not in Line with Threats

Companies are investing resources and money into security programs to “protect” their organizations and ease the minds of their customers, but the  money and resources don’t appear to be in the right places. With security resources not being allocated to the right areas, threats and risks are not being effectively managed, leaving an open opportunity for large breaches like Heartland to occur through SQL injection or Cross-site scripting—methods that are becoming more and more prevalent. 

Web applications are being neglected and application security is being viewed as less important compared to other areas.  

This was the conclusion of a recent study  conducted by Imperva, WhiteHat Security and the Ponemon Institute titled, “The State of Application  Security.” The report assessed the data security risk of insecure websites Jeremiah    Grossman, White Hat Securityand found that most businesses, despite having numerous mission-critical applications accessible via their websites, fail to efficiently allocate financial and technical resources to secure and protect Web applications, leaving corporate data vulnerable to theft.

“Most of the largest and recent data breaches to date have been a result of attacks against Web applications,” explained Jeremiah Grossman, WhiteHat founder and CTO. “To address today’s real cyber threats, companies must shift their security strategy – and budgets – from being predominately infrastructure-based and prioritize the data and applications directly.”

Results of the study showed that:

• 18% of security budget are focused on threats posed by insecure Web applications

• 43% of IT security budgets are allocated to network and host security

• 61% of organizations have 100 or so public-facing Web applications with millions of important records

On the positive side, the study showed the majority of respondents believe that insecure Web applications present the greatest threat to corporate data. However, 70 percent noted that their organizations do not view application security as a strategic initiative, nor did they believe their organizations had sufficient resources specifically budgeted to Web application security to address the risk. “

Data security doesn’t stop with network firewalls and anti-virus,” explained Imperva CEO, Shlomo Kramer. “The cyber threat landscape has shifted from bringing down networks to stealing data, and it’s time to stop fighting yesterday’s war.”

According to the Privacy Rights Organization, of the top 10 data breaches in 2009, 93 percent of compromised records were stolen as a result of malicious or criminal attacks against Web applications and databases. The Ponemon study found that 61 percent of responding organizations have up to 100 public-facing Web applications that transact or access data sensitive records. Most organizations have not made application security a high priority, the survey showed, and organizations say the vast majority of developers are too busy to respond to website security issues.

The study surveyed 627 IT and IT security practitioners from more than 400 multinational enterprises and government organizations.

“Our research confirms the overwhelming value of taking a strategic, prescriptive posture to the many challenges organizations face in protecting valuable data, including a greater than 60 percent rate of improvement in fixing known vulnerabilities,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Sadly, too many organizations remain paralyzed by the false notion that security is too complex a challenge. This study shows otherwise; there’s no excuse for failing to make progress toward better security.” -ML

A copy of the report is available at:

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...