In July 2018, F5 released its first annual Application Protection Report based on the results of an F5-commissioned Ponemon survey of 3,135 IT and security practitioners across the globe. Additional research conducted by Whatcom Community College, University of Washington Tacoma, along with data from White Hat Security and Loryka served to make this one of the most comprehensive application protection reports available today. In it, we provide a practical model for understanding the complexities of web applications; we look at the cold, hard facts about how, why, where, and how frequently apps are attacked; and we suggest concrete steps that security professionals can take today to protect their applications.
Based on the breadth of data examined, the full report provides aggregate global averages of our findings across all industry sectors. Yet, there were clearly distinct differences in data collected and survey responses across specific industries that are useful to examine more closely. This article explores those differences in greater depth.
Industry Breakdown
The 3,135 cyber-security professionals we surveyed in the US, Canada, United Kingdom, Brazil, China, Germany, and India represented 16 industries in total. By far, most respondents were from the Financial Services, Industrial & Manufacturing, Public Sector, Health & Pharmaceuticals, and Technology & Software industries. A fair number of respondents represented Retail, Services (that is, companies providing consulting and/or business services rather than tangible goods), Energy & Utilities, Consumer Products, Communications (typically, voice, data, and video-transmission providers), and Entertainment & Media companies. Individual industries that represented less than 1% of respondents—Defense & Aerospace, Agriculture & Food Service, and Transportation—are represented as “Miscellaneous” in Figure 1.
It’s not surprising that most respondents (17.8%) represent the Financial Services sector as it is the most mature in terms of cyber-security posture1—and it is among the most targeted.2
Application Usage
To set the context for any discussion of risk, we need to understand what applications organizations are using and their criticality to the organization. Our first group of survey questions focused along these lines, and we saw some interesting differences in how industry sectors answered.
How many web applications does your organization use today?
The number of applications in use tells us a lot about an organization’s dependence on applications and technology. Across industry sectors, there was significant variation in number of applications in use. The average was found to be 760, with Financial Services reporting the most (1,106), and Energy & Utilities reporting the least (485), as shown in Figure 2. By any measure, 485 is no small number. The fact that all industries surveyed use 485 or more apps reveals how heavily today’s organizations depend on web applications. But clearly, the Financial Services number stands out, being significantly higher than other industries. This might be due to size and sophistication required in processing financial transactions, loan origination, and accounting.