Cyber-attacks against web applications are increasing, yet security budgets for developers remain low.
The 2016 Data Breach Investigation Report showed that attacks against every business sector grew significantly with financial services being hit particularly hard with a 51 percent increase in reported incidents. Common Vulnerabilities and Exposures (CVE's) are not being addressed quickly enough with the top 10 vulnerabilities accounting for 85 percent of successful exploited traffic.
Developer awareness in regard to security controls is increasing according to the recent ‘SANS institute 2016 State of Application Security: Skills, Configurations and Components' report. Tools and methods ranked as being in the top three challenges to implementing AppSec by 38 percent of respondents then a lack of funding or management buy-in (37 percent). Almost a third (60 percent) reported that they test applications continuously, but 53 percent still test applications when they are initially launched into production.
The largest group (57 percent) said they find one to 25 vulnerabilities per month and the survey found the largest number (24 percent) said that more than half of critical vulnerabilities found were related to code bugs instead of misconfigurations. Unfortunately, less than 30 percent are achieving a 75 to 99 percent level of satisfaction with the speed it takes to repair their vulnerabilities.