This article is part of our Essential Guide: How to craft an application security strategy that's airtight

IT and security pros divided about application security, survey shows

There is a huge gap between IT and security professionals around several key aspects of application security, a survey reveals

IT and security professionals are at odds over application security, according to a survey.

The main differences are around frequency of security updates, time taken to tune application security systems, and the size of vulnerability backlogs.

While half of IT professionals update applications once a month, 50% of security professionals feel they need to update applications at least once per day, if not multiple times a day, revealed the survey report by application security firm Prevoty.

The report notes that according to Verizon’s 2016 Data Breach Investigation Report, web applications are linked to the most breaches, accounting for more than 40% of breaches in 2015.

The survey revealed that while both groups spend significant amounts of time tuning existing application security systems, security professionals spend more than 80% of their time on this task, while it accounts for 49% of IT professionals’ time.

The survey report states that the results showed both groups have very little time for other duties, which implies some more important security tasks are neglected.

And while 93% of security professionals report having up to 5,000 vulnerabilities currently backlogged, IT professionals said they have no vulnerability backlog at all.

The survey also revealed that while 39% of IT professionals do not feel their organisations have visibility into what vulnerabilities are being exploited in their applications, 92% of security professionals feel they do have visibility into the vulnerabilities, but it takes time to discover them.

Little more than a quarter of IT professionals said they rarely address application vulnerabilities, while 90% of security professionals said this is something they address often to review, prioritise or remediate them.

While 39% of IT professionals use next-generation firewalls and other “old school” approaches to application security, the report says security professionals are investing in newer systems and methods, with 63% using web application firewalls, 38% using dynamic application security testing and 32% using static application security testing.

“Attacks against web applications are rising dramatically, and protecting these applications continues to be a struggle,” said Prevoty CEO and co-founder Julien Bellanger.

“It’s surprising to discover that so many IT professionals are uninformed about, or under-prioritisng, this phenomenon,” he added.

Read more about web application security

  • Cisos are becoming more concerned about web application security, but there is still a long way to go, says Owasp
  • Expert Michael Cobb discusses numerous open-source and low-cost web application security testing options for enterprises on a budget
  • Does a web application security assessment termed 'compliance-ready' seem too good to be true? Learn its role in an enterprise compliance programme
  • Nearly half of all web application cyber attack campaigns target retail applications, shows a study from security firm Imperva

Bellanger said bridging the gap between security and IT professionals is critical to take application security to the next level.

However, the survey showed that security professionals believe changes can be made to address this gap. More than half of security professionals feel that changes could be made to their businesses’ approach to application security.

In the light of the survey results, the survey report recommends that organisations should foster consensus, awareness and deeper knowledge about the true need, cost and impact of application security and vulnerability remediations.

“Maybe IT professionals, even those not tasked with security, need to up their security game. Because sooner or later, the collective divide between perception and reality needs to shrink dramatically to ensure that company data and applications are protected from unwanted attacks or breaches,” the report concludes.

Read more on Web application security