A recent study performed by IDG Research Services shows quite interesting figures around internally developed applications security.
The study was conducted both in the US and UK, and focuses on security spendings, security assessments, providing key indicators on the current situation, and also some forecasts.

We won’t go through the entire study results, but here are some key outputs directly related to web applications security.

61% of internally developed web applications are not tested for security vulnerabilities.
Humm, that’s not really exciting… or maybe it is for attackers, but if you’re using these applications, or if it is a critical app for your business, that’s a big risk.
Let’s move to something better.

For 83% of respondents, there is a critical or very important need to close gaps in security coverage.
This clearly indicates a growing awareness of security risks. Companies know they have to move forward and have to assess their applications for vulnerabilities.
Sounds really better.

In terms of security spendings, the study shows that 65% of companies expect a net increase in the next 12 months.

OK, so if we take the three above figures, it means that a lot of internally developed web applications are not tested yet, that companies know they have to close the gaps and expect a net increase in security spendings in a very near future.
That’s what we will remember from the study, there is an awareness, and that’s really good for the security of both companies, and end-users.

Last but not least, as it relates to executive commitment to application security testing, we see that only 3% of executives have little interest in application security programs (that’s for the US, 4% in the UK), which sounds also quite reassuring!

That being said, we’ll have to look at some similar figures next year, to see actual results.