Ponemon Study Reveals Most Companies’ Websites are Unprotected

Redwood Shores, Calif., Santa Clara, Calif., and Traverse City, Mich. – April 26, 2010 – Imperva, WhiteHat Security and the Ponemon Institute today announced the results of their survey, “The State of Application Security,” which assessed the data security risk of insecure websites. The survey found that most businesses, despite having numerous mission-critical applications accessible via their websites, fail to allocate sufficient financial and technical resources to secure and protect Web applications, leaving corporate data vulnerable to theft.

According to the study, the majority of respondents believe that insecure Web applications present the greatest threat to corporate data. However, 70 percent noted that their organizations do not view application security as a strategic initiative, nor did they believe their organizations had sufficient resources specifically budgeted to Web application security to address the risk. The study found that only 18 percent of IT security budgets were allocated to address the threat posed by insecure Web applications, while 43 percent of IT security budgets were allocated to network and host security, the areas respondents felt to be of least concern.

“Data security doesn’t stop with network firewalls and anti-virus,” explained Imperva CEO, Shlomo Kramer. “The cyber threat landscape has shifted from bringing down networks to stealing data, and it’s time to stop fighting yesterday’s war.”

Of the top 10 data breaches in 2009, according to the Privacy Rights Organization, 93 percent of compromised records were stolen as a result of malicious or criminal attacks against Web applications and databases – most companies still remain significantly exposed. The Ponemon study found that 61 percent of responding organizations have up to 100 public-facing Web applications that transact or access millions of customer records. And yet, most organizations have not made application security a high priority. The survey found that the vast majority of developers are too busy to respond to website security issues.

“Most of the largest and recent data breaches to date have been a result of attacks against Web applications,” explained Jeremiah Grossman, WhiteHat founder and CTO. “To address today’s real cyber threats, companies must shift their security strategy – and budgets – from being predominately infrastructure-based and prioritize the data and applications directly.”

Recommendations

• You can’t secure what you don’t know you own – Inventory your Web applications to gain visibility into what data is at risk and where attackers can exploit the money or data transacted.
• Assign a champion – Designate someone who can own and drive data security and is strongly empowered to direct numerous teams for support. Without accountability, security, and compliance, will suffer.
• Don’t wait for developers to take charge of security – Deploy shielding technologies to mitigate the risk of vulnerable Web applications.
• Shift budget from infrastructure to Web application security – With the proper resource allocation, corporate risk can be dramatically reduced.

“Our research confirms the overwhelming value of taking a strategic, prescriptive posture to the many challenges organizations face in protecting valuable data, including a greater than 60 percent rate of improvement in fixing known vulnerabilities,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Sadly, too many organizations remain paralyzed by the false notion that security is too complex a challenge. This study shows otherwise; there’s no excuse for failing to make progress toward better security.”

The Ponemon study surveyed 627 IT and IT security practitioners from more than 400 multinational enterprises and government organizations. For a copy of the complete report visit: http://2010survey.whitehatimperva.com. A podcast on the findings, featuring a discussion between Brian Contos, Imperva’s Chief Security Strategist, and Jeremiah Grossman, Founder and CTO of WhiteHat Security, is also available.

About WhiteHat Security

Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of website risk management solutions that protect critical data, ensure compliance and narrow the window of risk. WhiteHat Sentinel, the company’s flagship product family, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of website security and prevent Web attacks. Furthermore, WhiteHat Sentinel enables automated mitigation of website vulnerabilities via integration with Web application firewalls and Snort-based intrusion prevention systems. To learn more about WhiteHat Security, please visit our website at www.whitehatsec.com.

About Imperva

Imperva is the global leader in data security. With more than 1,300 direct customers and 25,000 cloud customers, Imperva’s customers include leading enterprises, government organizations, and managed service providers who rely on Imperva to prevent sensitive data theft from hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, applications and file systems. For more information, visit www.imperva.com , follow us on Twitter or visit our blog.

# # #

Imperva and SecureSphere are registered trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.

Editorial Contacts