Netsparker, the leading enterprise dynamic application security testing (DAST) solution, teamed up with Dimensional Research to understand the maturity and effectiveness of web application security in organizations worldwide. Security professionals from 382 organizations across the globe responded to the survey, with roles spanning development, DevOps, and C-suite. Netsparker analyzed the findings and today released a report, “New Vulnerability Found: Executive Overconfidence.”
The survey found numerous areas where executives believe their organizations are more secure or adhere to best practices at a higher rate than security professionals deeper in the organization. For example, 75% of executives believe their organization scans all web applications for security vulnerabilities, while nearly 50% of security staff say they don’t.
Even more concerning, over 60% of DevOps respondents indicate that new security vulnerabilities are being found faster than they can be fixed, indicating that web application security efforts are insufficient. However, only just over 40% of executives are aware of this situation, and thus most companies are unlikely to be making the required investments to remedy the situation.
Despite this, respondents ranked web application security highest among areas they believe their company should focus. Over 66% of respondents named web application security as a priority – more than any other aspect of IT security, ahead of network security, endpoint security, and patch management.
Additional highlights from the Netsparker report include:
- While just 20% of developers believe that development teams are resistant to incorporating security, close to half of security professionals say they encounter developer resistance.
- Just under 40% of developers indicated that critical security issues get automatically escalated, showing that organizations still have a long way to go to fully integrate security into the software development process.
- Just under 35% of developers report friction caused by security false positives, compared to over 54% of security staff. This suggests that security teams bear the bulk of extra work caused by false alarms.
The survey shows a worrying disconnect between the theory and practice of web application
security. While most organizations appreciate the importance of web security, many still don’t scan all their applications and an even greater number struggle to deal with vulnerabilities in a timely manner.
This research shows that perceptions and expectations of web application security vary widely depending on the role. This misalignment between perception and reality creates dangerous threats to the security of organizations and their customer’s data as well.