Infographic: How cyber-secure are public companies?

This infographic presents some less-than-stellar numbers illustrating how well public companies are securing their web applications.

The infographic below, courtesy of Veracode, presents a pretty sobering look at how well public companies are doing with cybersecurity -- breaking down the most popular attack vectors and the type of exploits that have been the most successful. The graphic is based on Veracode's "Study of Software Related Cybersecurity Risks in Public Companies" which you download by following the link (requires registration).

Using the Open Web Application Security Project's (OWASP) top 10 critical flaws of web apps to measure against, 84% of companies' web apps were deemed unacceptable. The data collected for this report came from 126 public companies over the last 18 months.


Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...


and the law of profit is "Do as little work as much as possible for the maximum amount of return", I doubt private companies are doing much better and, especially for the rising fad of BYOD and how it's not hard to hack Android (or even unjailbroken iDevices, thank scores of PWN2OWN events)), the best is yet to come... or worst, it depends if you're a supply-side company that did things on the cheap or not...


(Quick note: by "public" I think the author meant "publicly traded," not government owned. Now onto my screed.) Government removes the profit motive (so you can drop the latter half of your quote) and, largely, the consequences of their (in)action. At least public companies are waking up to the issue and realizing, not only can failures of cyber-security cost them a lot immediately (stolen IP, lawsuits over exposure of personal / health / financial data, paying for credit monitoring of exposed customers), but it can also lead to long-term bad press and ill-will that will choke the bottom line. "If they're that sloppy with those people's information, why would I want to do business with them and put myself at risk?" As companies get a better idea of the cost of a security breach, they are more than willing to pay to hedge against that. In the government sector, unless you cause a scandal that actually gets published in the press, there is little to no motivation to plug the holes in IT security. I would normally make an exception for the military where loose lips (and keyboards) really _DO_ sink ships, but after the Wikileaks / Manning scandal uncovered that the military had demanded to use unsecure workstations with their Top Secret database network. Where were the resignations over that?

Editor's Picks