A new survey shows that despite the dismal economic conditions, more than a quarter of the companies polled expect to spend more on Web application security this year.
Data on Web application security is scarce, according to the project’s founders. The new survey is intended to be conducted quarterly.
Companies often save money through Internet-based sales, but also face risks such as data breaches and a subsequent loss of consumer confidence in their services.
The Security Spending Benchmarks Project comes from the Open Web Application Security Project (OWASP), dedicated to good Web application security practices.
The benchmarking survey is headed by Boaz Gelbord, who is also executive director of information security at Wireless Generation, along with help from Jeremiah Grossman, CTO and founder of White Hat.
Fifty-one companies responded to the survey, answering questions such as how much of their budgets are dedicated to Web application security and how those applications were vetted. More than a quarter of the companies that participated generate more than US$1 billion in revenue annually.
The survey doesn’t show exactly how much companies spent on Web application security but rather percentages of their budgets dedicated to the area. Other questions gauged how companies feel about the importance of strong Web apps.
The results are mixed, with some responses indicating that companies are more focused on application security. Though more than 25 percent companies expected to spend more on Web application security this year, thirty-six percent said spending would remain flat. Others did not respond.
Half of the companies said security is part of their branding strategy, but 61 percent said that security as a competitive advantage was not a motivation. Forty percent of companies said compliance was the most compelling reason for Web application security spending.
Sixty-one percent said they allow an independent third-party to review applications before deployment, with 17 percent saying they don’t. The rest either didn’t know or would do it if requested by a customer.
In a sign of how many companies are still catching up, more than third say they don’t use a Web application firewall to ensure against intrusions or detect anomalies.