Code & Data Security
According to a study conducted by Quotium, only 11% of Information Security Managers feel that their applications are secure, despite the fact that the vast majority of them are using a wide range of solutions to mitigate application threats.
Ofer Maor, Chief Technology Officer, Quotium
Adam Brown, UK Manager, Quotium
Quotium Research team has conducted a study on the application security market, discovering alarming findings regarding the level of security and frequency of attacks organizations are facing at the application level.
The study was conducted over a period of several months through questionnaires and interviews done with over 500 CISOs, Information Security Directors and Information Security Officers of leading corporates in Europe and in the United States. As part of the study, participants were asked:
The results were alarming – just over half were positive they are vulnerable and only 11% felt that they were secure. It is important to note that the focus was not whether vulnerabilities exist at all, but whether there are real, substantial vulnerabilities of which hackers may take advantage.
Figure I – “Do applications in your organization have vulnerabilities that hackers could exploit?”
Interestingly enough, when it comes to other people’s applications, participants were a lot more positive of the risk. Over 80% of participants answered Yes to the statement “100% of Off-the-Shelf Applications You Buy Are Vulnerable”.
Another interesting point was the lack of actual knowledge on the state of application security in the organization. A little over third (38%) answered “Maybe” or “Not Sure”. This lack of knowledge continued when we tried to learn which applications are being attacked and how frequently. In both cases almost half of the participants could not provide a well-informed answer.
Nonetheless, taking the answers of participants who were able to provide this information, we discovered that not only most applications are vulnerable, but that many of them are being targeted on a regular basis.
In the first question, we asked:
As already mentioned, almost half (48.6%) answered “Don’t Know”, yet we were able to learn some interesting figures from the other half. In today’s world, where attackers have a wide arsenal of potential attacks against organizations, it was clear to us that applications would be only one of several attack vectors. Nonetheless, 1 out of 5 participants pointed out that over half of all hacks against their organization were targeted at the application level, showing applications are still a popular attack vector. Approximately 2/3rds pointed out it was over 25%.
Figure II – “Percentage of hacks against the organization targeted at your applications” (Based on results of 51.4% of participants)
These figures show that applications remain one of the most prominent attack vectors for hackers and cyber attackers.
In the second question, attempting to estimate the frequency of attacks, we asked:
Here, again, almost half (45.1%) answered “Not Sure”, indicating again that many organizations have little visibility over actual attacks taking place against their organizations. Looking at the results of the remaining participants we were able to learn that just over 40% of these organizations get targeted every single day with application attacks. Only 16% feel that they are targeted less than once a year or never.
Figure III – “Frequency of Attacks on Applications in Organization”(Based on results of 54.9% of participants)
While figures in this order of magnitude are not new, they are of some interest when looking at application attacks, where the complexity of attacks often requires more than just automated tools to run, and indicate this is a real threat to organizations.
Further interviews with some of the participants in the study has shown that application vulnerabilities are one of the preferred methods of operations by cyber criminals and attackers, as they are able to target the core business and data of the organization. While we were unable to obtain specific figures, almost all information security managers we have talked with have expressed real concerns in this respect.
In the second part of the study, we attempted to learn what organizations are doing to mitigate these threats. The results indicated that only a fraction of organizations (8.63%) do nothing regarding application security (and the majority of these were smaller organizations with less than 1000 employees).
As expected, the most common practice used by organizations today is still penetration testing. Almost 2/3rds (66.3%) of organizations use penetration testing services on a regular basis. Second in line are automated testing tools, mostly application scanners and static code analyzers, used by a little over half (55.7%) of organizations. Web application firewalls are also quite popular, with almost half (47.8%) of organizations using them (although it should be mentioned that for the purpose of this study we have not differentiated between dedicated WAF solutions and add-on WAF solutions). Following the Security in Layers approach, almost half (46.8%) of all participants indicated they are using some combination of the above.
One of the most interesting results our study has found is the gap between the effort put into protecting applications and the actual state of the applications. While almost all organizations invest time, money and energy into protecting applications, using one or more type of service or technology, the most applications are still vulnerable and are still being attacked. Most importantly, almost half of the information security managers we have met were unable to provide real figures on the amount of vulnerabilities or attacks performed against their applications.
It is clear that application vulnerabilities are still a prominent threat to organizations, and a difficult task to deal with. The delicate relationship between the R&D and the security department makes application security one of the most difficult tasks at hand for an Information Security Officer. Only by choosing the right solutions for protecting applications, organizations can protect themselves against these threats.
This post is also available in: French