July 24, 2012, 3:51 PM — Organizations talk a good game when it comes to security, but many still focus the majority of their security resources on the network rather than their applications--the vector for most data breaches. Many organizations dedicate less than 10% of their IT security budget to application security, according to a study by research firm the Ponemon Institute, released earlier this year.
The reasons for this gap are multifaceted, says Jeremiah Grossman, founder and CTO of WhiteHat Security, provider of a continuous vulnerability assessment and management service for thousands of Web sites, including the Web sites of dozens of Fortune 500 companies. First, he says, many security professionals have a blind spot for software.
"Most of the security guys out there are not software people," he says. "They come from an IT background. All they really know how to do is protect the network."
Second, regulatory compliance and the cruft that comes with regulations based on past threats also play a role in Grossman's view.
"Organizations must comply," he says. "They spend the lion's share of their budget first on firewalls and antivirus because the compliance regulators mandate it."
Prioritizing Application Security Is a Challenge
It is often difficult for the organization to prioritize application security over revenue-generating development work, he says. Even when organizations identify serious vulnerabilities in their Web sites, it's not necessarily a simple decision to fix them.
"The organization has to fix it themselves," he says. "The business has to decide: 'Do we create revenue-generating features this week? If we don't deliver those features on time or at all, we will for a fact lose money. Not fixing the vulnerability may potentially cost the business money.' They have to make a decision."
Application Vulnerabilities on the Decline
Even with these challenges, Grossman says the application security landscape shows signs of improvement. While 2011 was dubbed the Year of the Breach-based on a multitude of high-profile breaches of companies like RSA, Sony, Facebook and Citigroup, not to mention the CIA and FBI-2011 was also a year in which the average number of serious vulnerabilities in Web sites showed a marked decline.
For 12 years, WhiteHat has put together its WhiteHat Security Website Security Statistics Report based on the vulnerabilities it finds in the Web sites it assesses. The 2011 installment, based on the examination of critical vulnerabilities from 7,000 Web sites across major vertical markets, found an average of 79 serious vulnerabilities per Web site, a drastic reduction from the average of 230 it found in 2010 and 1,111 it found in 2007.