State of Web Application Security U.S. Survey of IT & IT security practitioners

Transcription

1 State of Web Application Security U.S. Survey of IT & IT security practitioners Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: March 2011 Ponemon Institute Research Report

2 Part 1. Executive Summary State of Web Application Security Ponemon Institute, March 2011 Ponemon Institute is pleased to present the findings of the State of Web Application Security study sponsored by Cenzic and Barracuda Networks. We surveyed 637 IT and IT security practitioners in a variety of industries with an average of 11 years experience in their profession. The survey focused on the following issues: The importance of securing Web-facing applications What organizations are doing to augment and secure Web applications Perceptions about the use of Web application firewalls (WAFs) What organizations are doing to test the vulnerabilities of Web applications Web applications are vulnerable to hundreds of threat vectors. According to OWASP s Top 10 Web Software Application Security Risks, SQL injection flaws are considered the most critical Web application security risks for organizations followed by cross-site scripting (XSS) flaws. Other serious vulnerabilities include session management, privilege escalation, and cross-site request forgery among many. Some of the consequences from injection flaws include data loss, corruption, denial of access or complete host takeover. Cross-site scripting could allow an attacker to hijack a user s session or deface Websites. 1 The IT practitioners in our study agree that it is important to reduce the risks caused by these threats. According to the findings, 74 percent of respondents believe Web application security is either more critical or equally critical to other security issues faced by their organizations. When asked what the economic impact would be if they had a hacker attack, 25 percent of respondents have no idea. Almost half (47 percent) estimate it can range from $100,000 to $500,000 and the average is $255,000. IT practitioners recognize attacks can be costly due to the potential for the loss of sensitive data, fines due to noncompliance with regulations and business disruption. Given both the importance of Web application security and the potential for significant economic loss, are the organizations represented in our study taking the necessary measures to protect their Web applications? As shown in this study, only a small percentage of respondents test their Web applications for vulnerabilities. This lack of testing could be attributed in part to the fact that only 12 percent strongly agree that they have ample resources to detect and remediate insecure Web apps. There are other indications that the state of Web application security is dismal. While 73 percent of the organizations in the study have been hacked at least once in the last 24 months, 72 percent of the respondents test less than 10 percent of their applications. The reasons for this are a lack of budget and expertise. To make matters worse, 64 percent do not agree that their organization is able to fix Web application vulnerabilities quickly. In fact, 88 percent of respondents say their Web application security budget is less than the organization s coffee budget (about $30 per employee per month). Sixty-seven percent say it is less than the budget for network security and 51 percent say it is less than the budget for database encryption. Following is a summary of key findings according to the following three themes: Perceptions and concerns about Web application security, methods and standards used to secure Web applications and why the state of Web application security in organizations is at risk. 1 Injection Tops List of Web Application Security Risks, Angela Moscaritolo, SC Magazine, April 19, 2010 Ponemon Institute Research Report Page 1

3 Part 2. Key Findings Perceptions and concerns about Web application security Web application security is considered critical by many respondents. Bar Chart 1 shows 43 percent of respondents believe Web app security is equally critical to other security issues faced by their organization and 31 percent say it is more critical than other security issues. Only 19 percent see Web app security as less critical that other security issues. Bar Chart 1: How critical is Web app security vs. other security issues? 5 45% 4 35% 25% 15% 5% 43% 31% 19% 7% Web app security is equally critical Web app security is more critical Web app security is less critical Unsure Bar Chart 2 shows a majority of respondents who believe Web app security is one of their highest priorities. However, only 35 percent believe their organizations have ample resources to detect and remediate insecure Web apps. In addition, only 36 percent believe their IT organizations have adequate governance and policies over the use of insecure Web apps by end-users across the enterprise. Sixty-four percent of respondents believe their organizations do not fix Web application vulnerabilities quickly and efficiently. Bar Chart 2: Attributions about Web app security and IT compliance Five-point scale from strongly agree to strongly disagree My IT organization considers Web app security one of its highest priorities. My IT organization views compliance as one of its highest priorities. My IT organization has adequate governance and policies over the use of insecure Web apps. My IT organization fixes Web app vulnerabilities quickly and efficiently. My IT organization has ample resources to detect and remediate insecure Web apps. 53% 5 36% 36% 35% 47% 5 64% 64% 65% Srongly agree & agree Strongly disagree, disagree & unsure Ponemon Institute Research Report Page 2

4 Hacks through Websites are the number one concern. Bar Chart 3 shows the average rank for three hacking attacks in ascending level of concern. When asked what type of hacker attack concerns them most, respondents ranked hacks through Websites followed by hacks at the network layer and hacks through desktops, laptops or other connected devices. Bar Chart 3: What category of hacker attack concerns you the most? Rank order from 3 = highest level of concern to 1 = lowest level of concern Hacks through desktops, laptops or other connected devices Hacks at the network layer Hacks through websites As shown in Bar Chart 4, a majority of respondents (53 percent) agree or strongly agree it is the responsibility of the Web-hosting provider to secure their organization s Web applications. Bar Chart 4: Attribution I expect my Web app to be secured by the Web-hosting provider Five-point scale from strongly agree to strongly disagree % 47% 4 Strongly agree & agree Strongly disagree, disagree & unsure Ponemon Institute Research Report Page 3

5 Data protection and compliance are the most important reasons for securing Web applications. Bar Chart 5 shows the top three reasons for securing Web apps, which are: data protection (62 percent), compliance with laws and regulations (51 percent), and the avoidance of business disruption (42 percent). Very few respondents see revenue loss (7 percent) or brand protection (8 percent) as important reasons for ensuring Web app security. Bar Chart 5: What are the most important reasons for securing your Web apps? Data protection 62% Compliance with laws & regulations 51% Business disruption 42% Job protection 15% Customer loss Brand protection Revenue loss 8% 7% 9% Bar Chart 6 reports the primary means for securing Web-facing applications. These include network firewalls (69 percent), reverse proxy (49 percent) and internal pen testing (43 percent). Other popular tools are Web application firewalls (41 percent) and intrusion prevention systems (40 percent). The fact that network firewalls are selected as the most popular method used to augment and secure Web apps suggests many respondents lack sufficient knowledge. Bar Chart 6: What is your primary means of securing Web facing applications? Network firewall 69% Reverse proxy Internal pen testing Web application firewall (WAF) Intrusion prevention system (IPS) Web application vulnerability scanning 49% 43% 41% 4 36% Managed service External pen testing 28% 26% Ponemon Institute Research Report Page 4

6 Attacks on an organization s Web applications can be costly. When asked what the economic impact would be if they had a hacker attack, 25 percent have no idea. Almost half (47 percent) estimate it can range from $100,000 to $500,000, with an extrapolated average cost of $255,000. These findings suggest IT practitioners recognize that attacks can be costly due to the potential for the loss of sensitive data, fines due to noncompliance with regulations and business disruption. Bar Chart 7: What is the total economic impact if your organization were hacked? The extrapolated mean value is 255,000 dollars 25% 25% 15% 17% 15% 12% 13% 7% 7% 5% 3% 1% < $50k $50 to 100k $101 to 200k $201 to 300k $301 to 400k $401 to 500k $501 to 1 million > $1 million Do not know Methods and standards used to secure Web applications The majority of Web application firewall (WAF) users in our study consider a full reverse proxy WAF to be more secure. Bar Chart 8 compares the overall sample of respondents with a subsample of WAF users (about 41 percent). As can be seen, 73 percent of WAF users believe a reverse proxy WAF is more secure than a full reverse proxy. Bar Chart 8: Do you consider a full reverse proxy WAF to be more secure? Yes Yes No Unsure No Unsure Yes No Unsure Overall WAF User Ponemon Institute Research Report Page 5

7 Why? According to Bar Chart 9, WAF users see the top reasons as session termination and reconstruction (34 percent), the ability to scan uploaded documents for malware before they hit the Web application (23 percent), and ICAP connections for incorporating data loss prevention systems (23 percent). Bar Chart 9: If yes, why do you consider a full reverse proxy WAF to be more secure? Session termination and reconstruction 34% Ability to scan uploaded documents for malware before they hit the Web application ICAP connections for incorporating data loss prevention systems 23% 23% HTTP and HTTPS protocol enforcement 5% 15% 25% 35% 4 WAF users consider this enabling technology as necessary or critical for their organizations security infrastructure. Eighty-five percent of WAF users consider this method as necessary or critical to achieving the organization s security objectives. While not shown in Bar Chart 10, only 39 percent of the overall sample believes WAFs are critical and 40 percent are uncertain about its criticality. This result suggests there is a great deal of unfamiliarity with WAFs. Bar Chart 10: Do you consider Web application firewalls (WAF) to be a necessary or critical piece of your security infrastructure? Subsample of 261 respondents who are WAF users 9 85% % Yes No Unsure Ponemon Institute Research Report Page 6

8 Further, as noted in Bar Chart 11, 68 percent of WAF users consider a fully functional WAF as one that optimizes both performance and security. While not shown in the chart, only 31 percent of respondents in the general sample believe this is the case and 43 percent are unsure. Again, this difference suggests that there is uncertainty about the capabilities and value provided by WAFs. Bar Chart 11: Do you consider a fully functional WAF one that optimizes for both performance and security? Subsample of 261 respondents who are WAF users % % 19% Yes No Unsure For those WAF users who say that a fully functional WAF optimizes both performance and security, 55 percent see security as more important than performance. Bar Chart 12 shows only 20 percent of WAF users see performance as more important than security, and 25 percent see security and performance as equally important. Bar Chart 12: In terms of security and performance which one is more important? Subsample of 177 WAF users who said yes to the question posed in Bar Chart % % Security is most important Performance is most important Both security and performance are equally important Ponemon Institute Research Report Page 7

9 NIST, SANS 25 and CWE are the top three standards used in responding organizations Web app security efforts. As shown in Bar Chart 13, almost half of all respondents (49 percent) say their organization applies NIST standards followed by 39 percent who apply SANS 25 and 29 percent who apply CWE. In the case of OWASP, 57 (19+38) percent of respondents are very familiar or somewhat familiar with OWASP organization and principles which is very surprising given that it's the only non-profit organization focused entirely on Web application security. Of those who are very familiar or familiar with OWASP, 35 percent apply these principles. Another 30 percent of these respondents are unsure. Pie Chart 1: How familiar are you with the OWASP organization and principles? Bar Chart 13: Besides OWASP, what other industry standards do you adapt for Web app security? 13% 19% NIST 49% Very familiar Somewhat familiar Not familiar SANS 25 CWE 29% 39% 38% No knowledge Other 16% 4 6 Why the state of Web app security is at risk Only a small percentage of Web applications are tested for vulnerabilities. As previously mentioned, 53 percent of respondents agree that they expect Web apps to be secured by the Web hosting provider (see Bar Chart 4). That could explain why only a small percentage of Web apps are being tested for vulnerabilities on-premises. Bar Chart 14: What percentage of Web apps have you tested for vulnerabilities? 45% 4 35% 25% 15% 5% 4 12% 14% No testing Less than 5% 5 to 11 to 25% 26 to 5 51 to 75% 76 to 10 8% 2% 4% Ponemon Institute Research Report Page 8

10 As noted above in Bar Chart 14, 20 percent of respondents admit their organizations do not test and 40 percent test less than 5 percent of all Web apps used. The extrapolated average for all Web applications that are being tested by organizations is estimated to be 13 percent. While not shown in the chart below, one of the main reasons for not testing their Web applications concerns the lack of budget or in-house expertise. As shown in Bar Chart 15, Web app vulnerability scanning is the most popular method for testing. Forty-nine percent of respondents use this method followed by managed service (19 percent). Proprietary apps and outsourced apps are the categories most often tested. Bar Chart 15: What do you use for testing your Web apps? % 4 19% 14% 15% Web application vulnerability scanning Managed service External pen testing Internal pen testing Bar Chart 16 shows 56 percent of respondents say their organizations test Web apps in development and 54 percent test them in testing and quality assurance venues. Only 13 percent test their applications in production. Bar Chart 16: Do you test Web apps in the following venues? % 54% 4 13% Development Testing and quality assurance Production Ponemon Institute Research Report Page 9

11 The budget for Web application security is less than what an organization spends on coffee for its employees. As shown in Bar Chart 17, 88 percent of respondents say the coffee budget is bigger (about $30 per employee per month) and 67 percent say it is less than the budget for network security. Yet, we estimate from the responses that one attack could cost the organization an average of $255,000. Bar Chart 17: What statements best describe your organization s Web app security budget relative to other budgeted items? Our Web app security budget is less than... The coffee budget 88% Network security budget 67% Database encryption budget 51% Endpoint security budget 38% Laptop disk encryption budget 34% Identity and access management budget 21% The budget for data loss prevention (DLP) 14% Organizations are at risk because many Web application vulnerabilities are not fixed after detection. Or, if they are fixed it can take months. According to Bar Chart 18, 64 (31+33) percent of respondents say their organizations have been hacked through insecure Web applications between one and 10 times in the past 24 months. Another 20 percent of respondents were unable to assess the frequency of hacks through insecure Web apps. Bar Chart 18: How many times in the past 24 months has your organization been hacked through insecure Web apps? 35% 31% 33% 25% 15% 5% 7% 9% None 1 to 5 6 to 10 More than 10 Do not know Ponemon Institute Research Report Page 10

12 Bar Chart 19 shows, 21 percent of respondents do not know how long it takes to fix a single Web application vulnerability. The extrapolated average for all organizations participating is more than 68 hours or 8.5 days (assuming a normal eight-hour work day). While not shown in the chart below, organizations are devoting approximately 24 percent of their information security efforts to detecting and fixing the vulnerabilities caused by insecure applications Bar Chart 19: How long does it take to fix one vulnerability found in a Web app? 25% 21% 21% 15% 9% 13% 13% 11% 5% 4% 2% 6% < 60 minutes 1 to 4 hours 5 to 8 hours 1 to 2 days 3 to 7 days 1 to 4 weeks > 4 weeks Never able to fix Do not know As shown in Bar Chart 20, the controls in place to protect their Web infrastructure until the Web apps are secure include network firewall (42 percent), manual processes (39 percent), WAF (38 percent) and intrusion detection or intrusion prevention systems (18 percent). Bar Chart 20: Until you fix a known Web app vulnerability, what controls do you put inplace to protect the Web infrastructure? 45% 4 35% 25% 15% 5% 42% 39% 38% 18% Network firewall Manual process WAF IDS/IPS Ponemon Institute Research Report Page 11

13 Part 3. Methods Table 1 summarizes the sample response for this study. Our sampling frame of practitioners consisted of nearly 13,000 individuals located in the United States who have bona fide credentials in the IT or IT security fields. From this sampling frame, we invited 12,136 individuals. This resulted in 756 individuals completing the survey of which 119 were rejected for reliability issues. Our final sample of 637 respondents represents a 4.9 percent response rate. Table 1: Sample response statistics Frequency Total sampling frame Total invitations sent Bounce-back 1084 Total returns 756 Rejected returns 119 Final sample 637 Response rate 4.9% On average, respondents held 11.2 years of experience in either the IT or IT security fields. Twenty-six percent of respondents are female and 74 percent male. Table 2 shows the position levels of respondents. As shown, more than 66 percent of respondents are at or above the supervisory level. Table 2: Respondents organizational level Senior Executive 1% Vice President 2% Director 17% Manager Supervisor 16% Technician 25% Staff 5% Contractor 3% Other 1% Table 3 shows the headcount (size) of respondents business companies or government entities. As can be seen, more than half (51 percent) of respondents are employed by large-sized organizations with more than 5,000 individuals. Thirteen percent are small-to-medium (SMB) sized organizations. Table 3: Global headcount (size) of respondents organizations Less than 500 people 500 to 1,000 people 13% 1,001 to 5,000 people 26% 5,001 to 25,000 people 29% 25,001 to 75,000 people 15% More than 75,000 people 7% Ponemon Institute Research Report Page 12

14 Pie Chart 2 shows the industry distribution for respondents who are employed by private and public sector organizations. As can be seen, the largest sectors include financial services (including banking, insurance, credit cards, investment management), public sector (including federal, state and local government organizations), and health and pharmaceuticals. Pie Chart 2: Industry segments of respondents organizations 3% 3% 2% 2% Financial Public sector 5% Health & pharma Industrial 5% Retail 6% Services Technology 15% Communications 7% Education Hospitality 9% Transportation 14% Defense 9% Media Table 4 reports the geographic footprint of respondents organizations. In total, 86 percent of organizations have operations (headcount) in two or more countries. In addition, 79 percent have operations in one or more European nations. Finally, a total of 46 percent have operations in all major regions of the world. Table 4: Geographic footprint of respondents organizations United States 10 Canada 81% Europe 79% Middle East & Africa 46% Asia-Pacific 64% Latin America (including Mexico) 55% Ponemon Institute Research Report Page 13

15 Part 4. Conclusions & limitations Concluding thoughts We believe the research findings show that the state of Web application security is bleak and requires an immediate response from organizations. While companies and government agencies are constantly being hacked through the Websites, minimal efforts are being made toward securing these websites. Factors contributing to the insecurity are a lack of budget, expertise and governance procedures. As a result, Web application vulnerabilities are not fixed quickly. According to IT practitioners in our study, 21 percent do not know how long it takes to fix one vulnerability and 6 percent say they are never able to fix these vulnerabilities. Decisions to fix Web application vulnerabilities are made informally (46 percent of respondents) or there is no effort for priorities to be set (29 percent). We hope this study creates awareness of a security problem that could have serious financial and reputational consequences for organizations. On a positive note, IT practitioners seem to be aware of the threats to their Web applications. The next step is to convince management to consider making Web application security as important as the coffee budget. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that auditors who did not participate are substantially different in terms of underlying beliefs from those who completed the survey. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are information system auditors. We also acknowledge that responses from paper, interviews or telephone might result in a different pattern of findings. 0BSelf-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process, there is always the possibility that certain respondents did not provide responses that reflect their true opinions. Ponemon Institute Research Report Page 14

16 Appendix: Detailed Survey Findings The following tables provide the sample response and percentage frequencies for all survey questions completed by 637 respondents and a subsample of 261 WAF users. All survey results were completed in February Sample response statistics Frequency Total sampling frame 12,995 Total invitations sent 12,136 Bounce-back 1,084 Total returns 756 Rejected returns 119 Final sample 637 Response rate 4.9% Part 1. General Q1. What category of hacker attack concerns you the most? Please rank from 3 = highest level of concern to 1 = lowest level of concern. Average rank Hacks at the network layer 1.25 Hacks through desktops, laptops or other connected devices 1.88 Hacks through websites 2.31 Q2. If your organization were to be hacked, what do you think would be the economic impact in total dollars? An approximate response is welcome. Zero (nothing) 4% Less than $50k 3% $50 to 100k 17% $101 to 200k 15% $201 to 300k 12% $301 to 400k 13% $401 to 500k 7% $501 to 1 million 3% $1 to 5 million 1% More than $5 million Do not know 25% Extrapolated value (000 omitted) $ Q3. What are the two most important reasons for securing your Web apps? Compliance (such as PCI, HIPAA, GLBA, various state laws, privacy directive, etc.) 51% Data protection 62% Business disruption 42% Brand protection 8% Revenue loss 7% Customer loss 9% Job protection 15% Other (please specify) 1% Total 195% Ponemon Institute Research Report Page 15

17 Part 2: Web application security Q4. What is your primary means of securing Web facing applications? Please select all that apply. Intrusion prevention system (IPS) 4 Web application firewall (WAF) 41% Network firewall 69% Reverse proxy 49% Web application vulnerability scanning 36% Managed service 28% External pen testing 26% Internal pen testing 43% Others (please specify) 3% Total 335% Q5. What additional methods do you use for augmenting and securing Web applications? Please select all that apply. Load balancing 21% SSL 34% File caching 27% Data compression 19% Integration with AAA systems 14% Two factor authentication 18% IPS / IDS 28% Web application firewall (WAF) 38% Network firewall 62% Web application vulnerability scanning 29% Managed service 26% External pen testing 34% Internal pen testing 36% Total 386% Strongly agree Q6. Please rate the following statement using the scale provided below. & agree I expect my Web apps to be secured by the Web hosting provider. 53% Q7a. Do you consider a full reverse proxy WAF to be more secure? WAF Users* Yes 73% No 13% Unsure 13% *WAF user subsample = 261 respondents Q7b. If yes, why? HTTP and HTTPS protocol enforcement Session termination and reconstruction 34% Ability to scan uploaded documents for malware before they hit the Web application 23% ICAP connections for incorporating data loss prevention systems 23% Q8. Do you consider Web application firewalls (WAF) to be a necessary or critical piece of your security infrastructure? WAF Users* Yes 85% No 5% Unsure *WAF user subsample = 261 respondents Ponemon Institute Research Report Page 16

18 Q9a. How familiar are you with the OWASP organization and principles? Very familiar 19% Somewhat familiar 38% Not familiar No knowledge 13% Q9b. [If very familiar or somewhat familiar] Do you apply OWASP principles to your Web application security policy? Yes 35% No 35% Unsure Q9c. Besides OWASP, what other industry standards do you adapt for application security? NIST 49% SANS 25 39% CWE 29% Other 16% Total 133% Q10a. Do you consider a fully functional WAF one that optimizes for both performance and security? WAF Users* Yes 68% No 13% Unsure 19% *WAF user subsample = 261 respondents Q10b. If yes, in terms of security and performance which one is more important? Security is more important 44% Performance is more important 4 Both security and performance are equally important 16% Q11. When I research security solutions, my most trusted source of information is: References from other enterprises in my industry 49% Research organizations and analysts 22% Service providers or consultants 29% Other (please specify) Q12. How many Web apps does your organization have? Zero (none) 1 to 10 3% 11 to 50 5% 51 to % 100 to 1,000 21% 1,000 to 5,000 11% More than 5,000 9% Do not know (go to Q20) 24% Extrapolated value 1,121 Ponemon Institute Research Report Page 17

19 Q13. How did you compute the number of Web apps? Estimation 64% Ran an automated tool 19% Internal assessment or survey 17% Other (please specify) Q14. What percentage of these Web apps have you tested for vulnerabilities? Your best approximation is welcome. No testing performed (skip to Q20) Less than 5% 4 5 to 12% 11 to 25% 14% 26 to 5 8% 51 to 75% 2% 76 to 10 4% Extrapolated value 13% Q15. If you test less than of your Web apps, what are the reasons? Please check all that apply? We do not have the budget 31% We do not have the expertise 34% We are not certain we need to test more 11% Our organization has never been hacked 9% Our organization s leaders do not understand app security or see its need 15% Other (please specify) Q16. For testing your Web apps, what do you use? Web application vulnerability scanning 49% Managed service 19% External pen testing 14% Internal pen testing 15% Others (please specify) 3% Q17. How often do you test these Web apps? Once a year 8% Twice a year 13% Every quarter 23% Every month 16% More than monthly 5% Every time the code changes 16% Irregular intervals 19% Q18. Do you test Web apps in the following categories? Please check all that apply. Commercial apps 43% Proprietary apps 52% Outsourced apps 49% None of the above 3% Total 147% Ponemon Institute Research Report Page 18

20 Q19. Do you test Web apps in the following venues? Please check all that apply. Production 13% Development 56% Testing and quality assurance 54% None of the above 3% Total 126% Q20. How critical is Web app security vs. other security issues within your organization? Web app security is more critical than other security issues faced by my organization. 31% Web app security is less critical than other security issues faced by my organization. 19% Web app security is equally critical to other security issues faced by my organization. 43% Unsure 7% Q21. On average, what percentage of your organization s information security efforts are devoted to fixing vulnerabilities relating to insecure Web apps? Less than 5% 11% 5 to 13% 11 to 15% 21 to 28% 31 to 4 19% 41 to 5 6% More than 5 8% Extrapolated value 24% Q22. On average, how long does it take you to fix one vulnerability found in a Web app? Less than 60 minutes 9% 1 to 4 hours 21% 5 to 8 hours 13% 1 to 2 days 13% 3 to 7 days 11% 1 to 4 weeks 4% More than 4 weeks 2% Never able to fix 6% Do not know 21% Extrapolated value (hours) 68 Q23. Until you fix your known Web app vulnerabilities, what controls do you put inplace to protect your Web infrastructure? WAF 38% IDS/IPS 18% Network firewall 42% Manual process 39% Other (please specify) 3% Total 128% Ponemon Institute Research Report Page 19

21 Q24. How do you prioritize your Web app vulnerabilities? Quantitative score or metric 11% Simple high, medium, low rating 12% Informally 46% We do not prioritize 29% Other (please specify) 2% Q25. What statements best describe your organization s Web app security budget relative to other budgeted items? Please check all that apply. Our Web app security budget is less than... The coffee budget (assume $30 per employee per month) 88% The budget for network security 67% The budget for data loss prevention (DLP) 14% The budget for database encryption 51% The budget for laptop disk encryption 34% The budget for endpoint security 38% The budget for identity and access governance systems 21% Total 313% Q26. How many times in the past 24 months has your organization been hacked through insecure Web apps? Zero (never) 7% 1 to 5 31% 6 to 10 33% More than 10 times 9% Do not know Part 3. Attributions Q27. Please rate each one of the following four statements using the scale provided below each item. Strongly agree & agree Q27a. My IT organization has ample resources to detect and remediate insecure Web apps. 35% Q27b. My IT organization considers Web app security one of its highest priorities. 53% Q27c. My IT organization fixes Web app vulnerabilities quickly and efficiently. 36% Q27d. My IT organization has adequate governance and policies over the use of insecure Web apps by end-users across the enterprise. 36% Q27e. My IT organization views compliance as one of its highest priorities. 5 Part 4. Your Role D1. What organizational level best describes your current position? Senior Executive 1% Vice President 2% Director 17% Manager Supervisor 16% Technician 25% Staff 5% Contractor 3% Other 1% Ponemon Institute Research Report Page 20

22 D2. Is this a full time position? Yes 96% No 4% D3. Check the Primary Person you or your IT security leader reports to within the organization. CEO/Executive Committee 1% Chief Financial Officer 3% General Counsel 2% Chief Information Officer 52% Chief Information Security Officer 17% Compliance Officer 9% Human Resources VP 3% Chief Security Officer 6% Chief Risk Officer 5% Other 2% D4. Experience in IT or IT security Mean Total years of experience 11.2 Total years in present position 5.67 D5. Gender Female 26% Male 74% D6. What industry best describes your organization s industry focus? Airlines 1% Automotive 1% Brokerage & Investments 3% Communications 4% Credit Cards 2% Defense 2% Education 3% Energy 3% Entertainment and Media 2% Food Service 2% Government 15% Healthcare 11% Hospitality 3% Industrial 5% Insurance 1% Internet & ISPs 1% Pharmaceuticals 4% Professional Services 5% Research 2% Retail Banking 14% Retailing 7% Services 2% Technology & Software 6% Transportation 1% Ponemon Institute Research Report Page 21

23 D7. Where are your employees located? (Check all that apply): United States 10 Canada 81% Europe 79% Middle East & Africa 46% Asia-Pacific 64% Latin America (including Mexico) 55% D8. What is the worldwide headcount of your organization? Less than 500 people 500 to 1,000 people 13% 1,001 to 5,000 people 26% 5,001 to 25,000 people 29% 25,001 to 75,000 people 15% More than 75,000 people 7% Ponemon Institute Research Report Page 22

24 If you have any comments or concerns about this research, please contact us at or send an to Thank you for your interest in our work. Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 23