A survey of 240 companies questioned about the relation between their Web applications and security found about half experienced at least one Web application security incident since last year, sometimes with "severe negative financial consequences."
"Eighteen percent reported that the breaches cost their organization $500,000 or more," says Forrester in its survey report published today. The 240 participating companies, based in North America and Europe, also acknowledged the data breaches related to Web application vulnerabilities had a negative impact on the reputation of the individuals responsible for application security, as well as the overall corporate brand.
The study, sponsored by Coverity, also found the IT professionals willing to admit their organizations were facing various types of difficulties that contributed to their Web application security problems. Among these were:
- Can't keep pace with the volume of code they produce. Here, the IT professionals cited the competitive need to keep up with delivery of "products, services and new engagement models" needed for success and profitability of the business, saying this need has put the app-dev teams "under intense pressure to increase their delivery speed."
- Struggle to build the business case for additional funding. Fully 71% of the respondents that suffered at least one data breach said they felt they didn't have enough funding to invest in application security technologies and processes.
- Lack of adequate tools. About three-quarters suffering a data breach said they likely didn't have the right tools for application security.
The Forrester survey also asked the respondents for detail on specific security problems that had raised their risk of suffering a data breach.
Default password accounts, SQL injection-related vulnerabilities and security misconfigurations were cited most frequently. For those organizations that had suffered five to 10 incidents since 2011, SQL injection topped the list.
In the study, Forrester recommended reducing reliance on manual code reviews by using automated code analysis. Sixty-three percent of the respondents said they use manual code reviews. Other recommendations included testing code earlier in the life cycle, and working with management to create "accountability measures" by evaluating developers with security metrics and tracking vulnerability remediation performance.
At the same time, Forrester emphasized "security pros can't expect developers to become security experts," and that any approach undertaken to improve Web application security should be "risk-based" to determine the "criticality of the app and the defect" in order to first "address those that are the most critical."