InfoSec Spending to Focus on Application Security in 2010

As organizations begin planning their 2010 budgets, many have targeted application security as a top priority for the coming year, according to a new report from The InfoPro released today.

The New York-based research firm released its Information Security Study following thorough interviews with 246 security professionals at Fortune 1000 organizations and midsize enterprises in North America and Europe this year. The general consensus was that mitigating risks in the application stack is the most pressing concern among practicing infosec experts.

The emphasis on application security tracks with the current threat landscape. According to the Verizon Business 2009 Data Breach Investigations Report, 79 percent of data breaches in 2008 were compromised via Web applications. According to TheInfoPro’s recent interviews, approximately 82 percent of those studied reported that applications available outside the corporate firewall worry them most. The InfoPro analysts found that slightly more than half of applications named by Fortune 1000 respondents fall in this category.

According to the survey, though awareness has risen regarding application threats most organizations still lack the fundamentals of a strong application security practice. Only 38 percent of Fortune 1000 respondents use static application analysis tools. Of those without, only an additional 17 percent plan on implementing such tools in the future.

Meanwhile, in a different survey conducted by application security vendor Breach Security at last week’s Black Hat event in Las Vegas, 60 percent of security pros said it takes their companies between one and four weeks to remediate a SQL injection, cross-site scripting attack or other critical web vulnerabilities—a period of ions in an era when the typical malware campaign is conducted within just a matter of days or even hours.

The growing push to amp up corporate application security practices has been evidenced by a lot of recent market movement. Last week IBM picked up the application security firm Ounce Labs for an undisclosed amount. And just last month Verizon Business rolled out a new application security service to its customers.