OWASP Security Spending Benchmarks Report published

Share this article:

Few things free up security dollars faster than a data compromise. That is, companies that have suffered security incidents are more likely to invest in security.

That is just one of the findings in the first quarterly Security Spending Benchmarks Report published Thursday from the Open Web Application Security Project (OWASP).

Other findings of the survey include: web application security spending is expected to either stay flat or increase in nearly two thirds of companies participating in the survey. Also, the recession is not negatively affecting application security spending, but very little development headcount is dedicated mainly to security.

In outlining the purpose of the Security Spending Benchmarks Report, Boaz Gelbord, executive director of information security at Wireless Generation, and the Security Spending Benchmarks project leader for OWASP, said that it is part of an effort to determine how much spending on security is enough in the application development cycle.

“In terms of hardware and network costs, the balance is fairly well understood, but not so for security in application development – there is no benchmark data,” he told SCMagazineUS.com on Thursday.

“Executives want to know what the industry norm [is for application development security], set aside that budget, and see the security issue disappear so the company can focus on its core business,” Gelbord wrote in a post on his blog. 

Outsourcing application security seems to be a prevalent practice among the companies surveyed.

“One of the surprising things that came out the survey for me was the large number of companies that employ third parties to review the security of their code. It seems companies are giving some training to developers or hiring people who have security backgrounds, building reasonably secure code, and then bringing in people to review it,” he told SCMagazineUS.com.

The survey also found that just under half of the surveyed organizations have web application firewalls deployed for web applications.

The survey was conducted through a network of 17 partner organizations that included security research and consultancy companies and industry associations. There were a total of 51 valid responses to the survey acquired through the project partners.



Share this article:

Sign up to our newsletters

More in News

Russian hacker Seleznev ordered to remain in custody

Roman Seleznev's attorneys requested that the hacker be released on bond, but their pleas were rejected this past week.

Bug in iOS Instagram app fixed, impacts Facebook accounts

The vulnerability comes into play when Instagram users search for Facebook friends to "follow."

AP denied security docs on HealthCare.gov, a risk to private information

AP denied security docs on HealthCare.gov, a risk ...

The Associated Press was denied a request made under the Freedom of Information Act for documents that contain security information on HealthCare.gov.