A new study shows a wide discrepancy between the level of security that executives believe their organization has implemented versus the actual amount of security implemented according to the security staff. In a new survey from Netsparker, 75% of executives believe their organization scans all web applications for security vulnerabilities, while nearly 50% of security staff say they don’t. The same survey has another worrying statistic. Over 60% of DevOps respondents indicated they are finding new security vulnerabilities faster than they can be fixed. But only 40% of the executives are aware of this problem in DevOps, meaning it’s unlikely the problem will get fixed.
Even with these contradictions, respondents to the survey ranked web application security highest in the areas they believe their company should focus. 66% of respondents named web application security as a priority, ahead of all other aspects of IT security, including network security, endpoint security, and patch management.
The survey shows a surprising disconnect between the reality of what’s happening in organizations compared to what’s believed to be happening with regard to security practices. It appears that while most organizations seem to appreciate the importance of web security, many still don’t scan all their applications for security issues and an even greater number struggle to deal with vulnerabilities in a timely manner.
A good first step for organizations is evaluating their security posture, and implementing a plan to get to the security they believe they already have. If your organization doesn’t already have a security framework in place you may want to consider the one used by the federal government and produced by the National Institute of Standards and Technology (NIST). The recent finalization of the National Institute of Standard and Technology (NIST)’s SP800-53 Revision 5 update on September 23, 2020, has the most up to date recommended framework for security. It has new requirements for application security including the requirements for organizations to use Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST).
RASP solutions like the one from K2 Cyber Security offer significant application protection while at the same time using minimal resources and adding negligible latency to an application. K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you protect your applications, and check out K2’s web application and application workload security solution.