Study: 66% of UK enterprise internal apps remain untested against key security threats

UK enterprises are trailing their US counterparts on application security with less money being spent meaning that a lower level of testing is taking place on applications.

Related: Google vows to revolutionise enterprise security with encryption

Research carried out by IDG found that UK companies spend an average of 21 per cent less than US firms of a comparable size on enterprise security programmes and are risking problems as a result.

When it comes to testing apps against vulnerabilities, 66 per cent of internal developer apps in the UK remain untested against critical threats such as SQL injection. UK companies are also far more likely to focus app security programmes on a subset of business-critical apps and not the entire app portfolio, the latter of which is commonplace at US firms.

Not extending the process beyond business-critical apps means that “thousands of applications” are left vulnerable, and it leaves firms open to long-term security threats from cyber criminals that attack the easiest path into company systems.

“Companies are becoming better at securing their networks and endpoints, causing cyber-criminals to focus their efforts on the application-layer. As a result, more than half of all successful breaches are attributed to application-layer vulnerabilities,” said Adrian Beck, manager of security programme management, EMEA at Veracode. “Closing the security the gap between the numbers of apps being produced and number that are assessed for security will help UK companies remain competitive in the new application economy.”

US companies are also far more likely to issue mandates for enterprise-wide application security assessment programmes that result in US programmes that are, on average, much more mature than UK ones.

Related: MWC 2014: 80% in IT say consumerisation is forcing up enterprise app expectations

For the study IDG spoke at length with executives from large enterprises and asked questions about each company’s application security programmes and the practices employed.