Building and maintaining comprehensive web security controls can
consume a large percentage of the limited budget you
have for developing the actual application features users
need to get useful work done. In fact, web application security is so challenging that WhiteHat Security reported in its 2017 Application Security Statistics Report that the average web application has three vulnerabilities.² Are we are not investing enough in penetration testing and remediation?
Do we not understand the risks? Are we not deploying the right tools to mitigate these vulnerabilities? These are persistent, long-standing problems that remain omnipresent due to the difficulty of building and rebuilding remediations into every new application that is shipped. Understanding and defending against web application vulnerabilities typically requires focused
security expertise, a skillset that few developers can realistically cultivate while getting actual development done at the same time.