Based on Aberdeen's Securing Your Applications benchmark study of more than 150 worldwide organizations (August 2010), the average respondent supports over 130 deployed applications. 

These are in turn supporting an average of approximately 6,800 end-users — part of an overall end-user population (including employees, contractors, business partners, and customers) that is growing at an estimated 6.5 per cent per year. More than two out of five (43 per cent) of these applications are classified as likely to have a serious adverse affect on the business or its end-users in the event of a loss of its confidentiality, integrity or availability.

The average respondent annually invests nearly $400,000 (£248,000) on application security initiatives, an estimate which includes not only the technologies but also the people and process aspects of securing their Internet-touching enterprise applications.

On average, respondents estimate that about four out of five (82 per cent) of application vulnerabilities are discovered and remediated before deployment — which of course means that roughly one in five are not.

Figure 1, below shows the distribution of application security vulnerabilities that are discovered and remediated, by phase of the software development lifecycle. Best-in-Class companies remediate more (88.3 per cent) before deployment than Laggards (76.6 per cent) — and experience two-thirds fewer incidents as a result.

The problem is not necessarily that 20 per cent of application vulnerabilities are not discovered and remediated until after the applications have been deployed. The problem is that the total cost of remediating an actual application security-related incident is so high — about $300,000 (£186,000), across all respondents.

In other words, successful prevention of a single occurrence nearly offsets the total annual cost of the average organization's application security initiative. A high probability of occurrence, multiplied by a high cost per occurrence, is what gives credence to the argument that application security is free.

Figure 1: Discovering and Remediating Application Security Vulnerabilities

Source: Aberdeen Group, September 2010

Market Trends: Web Applications are Most Vulnerable
As noted by Aberdeen in Web Security in the Cloud (May 2010), industry sources report that nearly half of all identified vulnerabilities are related to web applications; surprisingly, however, at end of 2009 about two-thirds of known web application vulnerabilities had no vendor-supplied patch available.

In one typical eight-week period between May and June 2010, for a more specific example, more than 800 new updates and vulnerabilities were identified — not only for Windows platforms, but also for Mac, Unix, Linux, cross-platform, network devices and web applications (Figure 2).

There were more than 3-times more vulnerabilities in third-party Windows applications than in Windows, Microsoft Office and other Microsoft products combined — underscoring the importance of a comprehensive approach to vulnerability management, even for Microsoft-only shops.

Figure 2: New Updates and Vulnerabilities Identified over 8 weeks

Source: Qualys, in partnership with SANS

Nearly 60 per cent (455) of the new vulnerabilities identified during this particular period were related to web applications, and of those more than 60 per cent (284) were examples of SQL injections or cross-site scripting — in spite of the excellent collaborative work of the Open Web Application Security Project (OWASP) and the widespread publicity regarding the OWASP Top 10 web application security threats (Table 1), in which injections and cross-site scripting are number one and number two.

Clearly it will continue to require more education, time and focused effort to eliminate these and other vulnerabilities from the fastest-growing category of applications. Be particularly watchful also for growth in application vulnerabilities for mobile platforms.

Derek Brink is Vice President and Research Fellow for IT Security at Aberdeen Group

Pic: simon cocks cc2.0