Based on Aberdeen’s Securing Your Applications benchmark study of more than 150 worldwide organizations (August 2010), the average respondent supports over 130 deployed applications. These are in turn supporting an average of approximately 6,800 end-users — part of an overall end-user population (including employees, contractors, business partners, and customers) that is growing at an estimated 6.5 per cent per year. More than two out of five (43 per cent) of these applications are classified as likely to have a serious adverse affect on the business or its end-users in the event of a loss of its confidentiality, integrity or availability. The average respondent annually invests nearly $400,000 (£248,000) on application security initiatives, an estimate which includes not only the technologies but also the people and process aspects of securing their Internet-touching enterprise applications. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe On average, respondents estimate that about four out of five (82 per cent) of application vulnerabilities are discovered and remediated before deployment — which of course means that roughly one in five are not. Figure 1, below shows the distribution of application security vulnerabilities that are discovered and remediated, by phase of the software development lifecycle. Best-in-Class companies remediate more (88.3 per cent) before deployment than Laggards (76.6 per cent) — and experience two-thirds fewer incidents as a result. The problem is not necessarily that 20 per cent of application vulnerabilities are not discovered and remediated until after the applications have been deployed. The problem is that the total cost of remediating an actual application security-related incident is so high — about $300,000 (£186,000), across all respondents. In other words, successful prevention of a single occurrence nearly offsets the total annual cost of the average organization’s application security initiative. A high probability of occurrence, multiplied by a high cost per occurrence, is what gives credence to the argument that application security is free. Figure 1: Discovering and Remediating Application Security Vulnerabilities Source: Aberdeen Group, September 2010 Market Trends: Web Applications are Most Vulnerable As noted by Aberdeen in Web Security in the Cloud (May 2010), industry sources report that nearly half of all identified vulnerabilities are related to web applications; surprisingly, however, at end of 2009 about two-thirds of known web application vulnerabilities had no vendor-supplied patch available. In one typical eight-week period between May and June 2010, for a more specific example, more than 800 new updates and vulnerabilities were identified — not only for Windows platforms, but also for Mac, Unix, Linux, cross-platform, network devices and web applications (Figure 2). There were more than 3-times more vulnerabilities in third-party Windows applications than in Windows, Microsoft Office and other Microsoft products combined — underscoring the importance of a comprehensive approach to vulnerability management, even for Microsoft-only shops. Figure 2: New Updates and Vulnerabilities Identified over 8 weeks Source: Qualys, in partnership with SANS Nearly 60 per cent (455) of the new vulnerabilities identified during this particular period were related to web applications, and of those more than 60 per cent (284) were examples of SQL injections or cross-site scripting — in spite of the excellent collaborative work of the Open Web Application Security Project (OWASP) and the widespread publicity regarding the OWASP Top 10 web application security threats (Table 1), in which injections and cross-site scripting are number one and number two. Clearly it will continue to require more education, time and focused effort to eliminate these and other vulnerabilities from the fastest-growing category of applications. Be particularly watchful also for growth in application vulnerabilities for mobile platforms. Derek Brink is Vice President and Research Fellow for IT Security at Aberdeen Group Pic: simon cockscc2.0 Related content feature Mastercard preps for the post-quantum cybersecurity threat A cryptographically relevant quantum computer will put everyday online transactions at risk. Mastercard is preparing for such an eventuality — today. By Poornima Apte Sep 22, 2023 6 mins CIO 100 CIO 100 CIO 100 feature 9 famous analytics and AI disasters Insights from data and machine learning algorithms can be invaluable, but mistakes can cost you reputation, revenue, or even lives. These high-profile analytics and AI blunders illustrate what can go wrong. By Thor Olavsrud Sep 22, 2023 13 mins Technology Industry Generative AI Machine Learning feature Top 15 data management platforms available today Data management platforms (DMPs) help organizations collect and manage data from a wide array of sources — and are becoming increasingly important for customer-centric sales and marketing campaigns. By Peter Wayner Sep 22, 2023 10 mins Marketing Software Data Management opinion Four questions for a casino InfoSec director By Beth Kormanik Sep 21, 2023 3 mins Media and Entertainment Industry Events Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe