BURLINGTON, Mass. — April 27, 2015 — Veracode, a leader in protecting modern enterprises from today’s pervasive web and mobile application threats, today announced that research conducted by IDG reveals that enterprises in Germany are leaving 62 percent of their web and mobile applications unaudited for critical vulnerabilities such as SQL injection and Cross-Site Scripting (XSS).

This result is consistent with previously-released results for US enterprises (61 percent) and UK enterprises (66 percent).  These results demonstrate that most firms have a significant lack of visibility into application-layer risk, leaving them particularly vulnerable to cyberattackers seeking to steal sensitive corporate data or cause downtime, which can lead to significant brand damage and financial loss.

The challenge is that, as enterprises increasingly rely on web, mobile and cloud applications to drive their businesses, the threat surface exposed to cyberattackers has dramatically expanded.  At the same time, the majority of security investments have been focused on network-layer defenses, which were not designed to protect against application-layer attacks. As a result, applications have now become a top target for cyberattackers, with application-layer vulnerabilities exploited as a point of entry in many recent high-profile breaches.

The study also found that German executives are more likely to have mandated enterprise-wide governance programs for application security, compared to their US and UK counterparts (62 percent in Germany compared to only 51 percent of enterprises in the US and 38 percent in the UK).  This implies that German firms may be more serious about reducing application-layer risk, but haven’t yet found a way to effectively scale their programs enterprise-wide.

“Enterprises are leaving hundreds or thousands of applications vulnerable because they’re challenged by the complexity of first-generation on-premises tools,” said Phil Neray, vice president, enterprise security strategy for Veracode. “Automated cloud-based services – using centralized policies, security analytics and a platform that is continuously learning how to address new threats and reduce false positives – provide a simpler and more scalable approach for reducing this lack of visibility into application-layer risk.”

The IDG study asked executives at large enterprises about their application security programs and practices. The purpose of this study was to gain a better understanding of the enterprise application security environment, particularly for internally-developed applications. The study also forecasted the growth in future application development and application security budgets. A sample of data from the study can be found here.