SOURCE: Cenzic


October 13, 2009 10:04 ET

Survey Shows Nearly Half of IT Professionals Polled Feel Their Web Sites Are Not Secure, but Only 40 Percent of Them Test Sites on a Regular Basis

Why Don't Companies Make Security a Priority -- Six Tips for Garnering Executive Buy-In

NEW YORK, NY--(Marketwire - October 13, 2009) - SC World Congress -- Web application security and hackers are a key business issue, and in some cases the biggest threat for organizations. With intellectual property, critical client data and trade secrets being housed on internal and external Web applications, a security breach has the potential to destroy company reputation, brand and the business itself.

So in spite of the fact that the majority of IT professionals polled think their Web sites might not be secure, why are 63 percent of companies only testing their Web applications on a quarterly basis or less often? How are only 28 percent of respondents unaware of a security breach ever occurring at their company?

This data, culled from nearly 400 IT professionals, almost 50 percent of whom had annual corporate revenue of $100 million or more, comes from a survey on Web application security conducted by eMedia and sponsored by Cenzic. These results are surprising given recent high profile cybercrime headlines and an industry statistic those in the security trenches live by -- that according to Gartner 75 percent of all deployed Web applications are vulnerable to attack.

If management doesn't understand the seriousness of Web application security, how can the company's security professionals possibly get the support and financial backing they need to protect corporate assets? Buy-in from various levels of an organization is key, garner support by following these best practices:

-- Effectively communicate the issue and build application security awareness. Executive management might not understand the impact or urgency of fixing security defects. Explain the importance of preventing a data breach, identity theft, unauthorized access and downed websites. Be sure to stay clear of jargon and use real world examples highlighting damages to companies. It's important to provide training on Web security issues to all functions and not just developers.

-- Align your security strategy with business objectives. Discuss specific management goals and point out how a security breach could stand in the way of meeting these objectives, be they revenue or corporate reputation goals.

-- Calculate the ROI. The cost of a breach can be $500K or more per incident. For example the Heartland Payment Systems breach is estimated to have cost the company $12.6 million along with damage to their reputation and a dramatic drop in the company's stock price.

-- Cite laws and compliance issues. Be sure to point out penalties for non-compliance with regulatory standards, which can pile up quickly. In particular, PCI is a big concern for many e-commerce companies and the regulation has brought awareness to the issue and compelled many companies to take steps toward securing their Web applications.

-- Emphasize Web app security as part of the software development process. Include stakeholders from the development team through QA and production.

-- Cloud based solutions can provide a low-cost solution with a quick start to any Web application security initiative allowing organizations of all sizes to protect their Web infrastructure.

"It is more important than ever to examine your Web application security policies and assess vulnerabilities," said Mandeep Khera, CMO for Cenzic. "The time to take action and protect your business is now. What's scary is that more than eight out of 10 Web sites are severely vulnerable. Companies think they haven't been hacked but the fact is that hackers might already be in your Web sites comfortably exploiting in stealth mode. The good news is that many of these companies polled are open to using Web application security testing as a service in the Cloud, which should help them get a jump start in protecting their Web sites."

The survey also polled participants on the amount of Web 2.0 and rich media applications they are running, how they keep up with the latest security tactics and their biggest fears around a security breach. For a copy of the survey please visit To learn more tips attend "Web application security: Maneuvering the organizational complexities," on Wednesday, October 14, at SC World Congress.

About Cenzic

Cenzic is the next-generation Web application security assessment and risk management solutions leader. The Cenzic suite of application security solutions fits the need of any company from remote, Cloud Computing (ClickToSecure®), for testing one or more applications, to a full enterprise-wide solution (Cenzic Hailstorm® Enterprise ARC) for effectively managing application security risks across an enterprise. Always an innovator, Cenzic has integrated Hailstorm with VMware to enable testing of production Web applications through virtualization -- making Cenzic the only company in the industry with a complete solution for assessing Web applications in all stages from development to production. In addition, Cenzic solutions, targeted at financial services, e-retail, high-tech, energy, healthcare and government sectors, are the most accurate, comprehensive and extensible in the industry, empowering organizations to stay on top of unrelenting application security threats.

Contact Information