Few things free up security dollars faster than a data compromise. That is, companies that have suffered security incidents are more likely to invest in security.
That is just one of the findings in the first quarterly Security Spending Benchmarks Report published Thursday from the Open Web Application Security Project (OWASP).
Other findings of the survey include: web application security spending is expected to either stay flat or increase in nearly two thirds of companies participating in the survey. Also, the recession is not negatively affecting application security spending, but very little development headcount is dedicated mainly to security.
In outlining the purpose of the Security Spending Benchmarks Report, Boaz Gelbord, executive director of information security at Wireless Generation, and the Security Spending Benchmarks project leader for OWASP, said that it is part of an effort to determine how much spending on security is enough in the application development cycle.
“In terms of hardware and network costs, the balance is fairly well understood, but not so for security in application development – there is no benchmark data,” he told SCMagazineUS.com on Thursday.
“Executives want to know what the industry norm [is for application development security], set aside that budget, and see the security issue disappear so the company can focus on its core business,” Gelbord wrote in a post on his blog.
Outsourcing application security seems to be a prevalent practice among the companies surveyed.
“One of the surprising things that came out the survey for me was the large number of companies that employ third parties to review the security of their code. It seems companies are giving some training to developers or hiring people who have security backgrounds, building reasonably secure code, and then bringing in people to review it,” he told SCMagazineUS.com.
The survey also found that just under half of the surveyed organizations have web application firewalls deployed for web applications.
The survey was conducted through a network of 17 partner organizations that included security research and consultancy companies and industry associations. There were a total of 51 valid responses to the survey acquired through the project partners.