The first fact that arises from the study is that most of the big organizations interviewed currently have processes in place to test their web applications vulnerabilities. Most of them use penetration testing services, automated testing tools - mostly applications scanners or static code analyzers – or web application firewalls to secure their assets.
However, a majority of security managers are unsure of the current level of their application security state and do believe that a hacker could manage to exploit their applications.
Almost half do not have a clear view on the attacks currently performed against their organization.
One of the most interesting findings of this study is the gap between the efforts put into protecting applications and the actual state of the applications. While almost all organizations invest time, money and energy into protecting their infrastructure, using one or more types of service or technology, most applications remain vulnerable and are still being attacked.