UK enterprises are lagging behind US enterprises in application security programmes, a study has revealed.
On average UK companies spend 21% less on application security than US companies of equal size, according to an IDG study commissioned by application security checking firm Veracode.
The study also found that UK enterprises focus their application security programmes only on a small subset of business-critical applications rather than the entire application portfolio.
When it comes to internally developed applications in the UK, two-thirds remain untested for critical vulnerabilities such as SQL injection.
The study found that US organisations are more likely to issue mandates for enterprise-wide application security assessment programmes.
According to the study report, US application security programmes tend to be more mature than those at UK enterprises.
When application security programmes do not extend beyond business-critical applications, the report said, enterprises leave thousands of applications vulnerable.
Read more on application security
- Boards need to get behind application security, says Owasp
- Security validation for cloud-based applications
- Mitigating madware to ensure enterprise mobile application security
- Third-party application security must be tested for vulnerabilities
- Tackling Web application security through secure software development
- Cloud-based application security: Preventing security breaches
According to Veracode, this creates long-term security threats as cyber-criminals attack the path of least resistance into an IT infrastructure, regardless of whether an application is business-critical or not.
The company noted that as enterprises become better at securing their networks and endpoints, cyber-criminals are beginning to focus their efforts on the application layer.
“As a result, more than half of all successful breaches are attributed to application-layer vulnerabilities,” said Adrian Beck, manager of security programme management for Europe at Veracode.
“Closing the security gap between the numbers of apps being produced and number that are assessed for security will help UK companies remain competitive in the new application economy,” he said.
Beck said that by identifying critical application-layer threats before cyber-criminals can find and exploit them, enterprises can bring innovation to market faster without sacrificing security.