A new reports aims to understand the maturity and effectiveness of web application security in organizations worldwide. Security professionals with roles spanning development, DevOps, and C-suite from 382 organizations across the globe responded to a survey put together by Netsparker and Dimensional Research. Netsparker analyzed the findings and released the report, “New Vulnerability Found: Executive Overconfidence.” 

The survey found numerous areas where executives believe their organizations are more secure or adhere to best practices at a higher rate than security professionals deeper in the organization. For example, 75% of executives believe their organization scans all web applications for security vulnerabilities, while nearly 50% of security staff say they don’t. 

Over 60% of DevOps respondents indicate that new security vulnerabilities are being found faster than they can be fixed, indicating that web application security efforts are insufficient. However, only just over 40% of executives are aware of this situation, and thus most companies are unlikely to be making the required investments to remedy the situation.

Despite this, respondents ranked web application security highest among areas they believe their company should focus. Over 66% of respondents named web application security as a priority – more than any other aspect of IT security, ahead of network security, endpoint security, and patch management. 

Additional highlights from the report include:

  • 20% of developers believe that development teams are resistant to incorporating security, while close to half of security professionals say they encounter developer resistance.
  • Just under 40% of developers indicated that critical security issues get automatically escalated, showing that organizations still have a long way to go to fully integrate security into the software development process.
  • Just under 35% of developers report friction caused by security false positives, compared to over 54% of security staff. This suggests that security teams bear the bulk of extra work caused by false alarms.

The survey shows a worrying disconnect between the theory and practice of web application security. While most organizations appreciate the importance of web security, many still don’t scan all their applications and an even greater number struggle to deal with vulnerabilities in a timely manner. 

This research shows that perceptions and expectations of web application security vary widely depending on the role. This misalignment between perception and reality creates dangerous threats to the security of organizations and their customer’s data as well.