Application Security: Companies Have the Tools but Lack Grasp of Vulnerability

By September 09, 2013

Despite the data security measures systematically put in place, targeted attacks on company software applications are on the rise.

Applications seem to have been largely forgotten when it comes to cyber-security, or at least that is what we may conclude from a report, The State of Application Security, published in late August by France-based Quotium, which specialises in security and performance testing of business-critical applications. Of the more than 500 Chief Information Security Officers and Security Managers at large organisations in the US and Europe interviewed, only 11% believe their company’s software applications are secure. Perhaps even more alarming, close to half cannot say how frequently their applications are targeted by hackers. This is not so much due to a lack of resources and tools to ensure security, but rather a lack of awareness of the specific risks directly linked to the use of applications.


Vulnerabilities still not properly understood


The report finds that company awareness of systems security problems arising from the applications they use is still lacking. Just under 40% of the IT Security managers surveyed admitted that they lacked knowledge on the state of their application security. However the findings show that fully 90% of the large organisations polled are using tools to mitigate application security threats. The various options in use are regular penetration testing (66% of  the firms surveyed), web scanners and static code analysis (55%), plus firewalls directly shielding an application (47%). However, only 46% of the companies beef up their

systems protection by using Layered Security, i.e. combining these various security controls.


More frequent and more numerous attacks


In April this year, US global computer security software corporation Symantec revealed in its Internet Security Threat Report that there had been a 42% surge in targeted IT systems attacks during 2012 compared to the previous year. Evidence showed that these are increasingly focused on applications. Quotium’s survey discovered moreover that 40% of all organisations are targeted every day by application attacks. The sheer scope of this new avenue of attack by computer hackers is underlined by the statistics. In the majority of attacks that companies are aware of, around a quarter of them are nowadays on the application layer; in some cases this figure rises to over 50%. And, it should be noted, these figures only represent the attacks that have actually been detected by companies’ security controls.

Legal mentions © L’Atelier BNP Paribas