Caleb Sima, CTO, Applications Security Center (and former co-founder and CTO of SPI Dynamics)

All organizations are affected by the economy’s ups and downs, so it’s no surprise that managers are reevaluating their IT budgets during these tougher times. However, according to the big three analyst firms – Forrester, Gartner and IDC – security will remain a key technology IT managers will invest in despite the current economic situation. 

In fact, a recent Forrester survey polled more than 1,200 North American security decision makers in enterprises large and small and found that security spending is on the rise.  According to Forrester, security investment was about 8 percent of the total IT operating budget in 2007, but that figure edged toward 10 percent in 2008.  In these difficult economic times, though spending on many IT projects may be on the wane, security will remain about the same.

So, why do we continue to hear about organizations facing data breaches if security budgets are increasing?  The question enterprises should be asking themselves is: “Are we investing in the right tools to win the fight against the latest security threats?”

Let’s think back to the year 2000.  Remember the new virus that brought the availability of e-mail servers to a crawl across the globe?  Denial of service attacks knocked even the best-known e-commerce sites offline.  Throughout the earlier part of this decade, viruses that spread through email and memory-resident worms such as Code Red, SQL Slammer, and MS Blaster were the greatest threats. Defenses primarily consisted of anti-virus, anti-spam, firewalls, and network vulnerability scanners. Now, the good news is that these tools have done a relatively good job of securing email and network-level traffic. The bad news is that criminal hackers have set their sights on web servers, web sites, and applications, but security budgets are not being allocated to protect them.

Unlike networks and email, there are a number of successful ways to infiltrate web applications.  Attacks are made possible by misconfigured web servers and applications that haven’t been properly designed with security in mind from the start.

The Web Application Security Consortium (WASC) found that 85 percent of more than 31,000 websites scanned had application vulnerabilities that could give hackers the ability to read, modify and transmit sensitive data. How should you invest your security budget to win the fight against these latest security threats? 

To achieve sustainable security, web applications need to start secure to stay secure.   Web applications should be built using secure coding practices, tested by quality assurance teams for security vulnerabilities, and monitored continually in production. This should all be standard procedure in the lifecycle of an application.

Security spending must keep pace with the latest threats.  To beat the hackers at their game, organizations must look beyond viruses, spam, and firewalls. By investing in application security technologies and building security in to the application lifecycle, smart companies can protect their most valuable online assets.