"First the good news: Despite the global recession, two-thirds of organizations either have no plans to cut Web application security spending, or they expect their spending to increase this year. Now the bad news: Spending for security applications is less than 10 percent of the overall security budget in 36 percent of organizations, few of which have developers dedicated to security, according to a new Open Web Application Security Project (OWASP) report (PDF).
Around 67 percent of the survey's respondents -- security professionals and executives from 51 companies -- have a dedicated IT security budget, while 89 percent of companies with 1,000 or more employees have a dedicated security spending pot. Not surprisingly, companies that had been hit with a data breach in the past two years were most likely (86 percent) to have a dedicated security budget than those that had not suffered a public breach (52 percent).
More than one-fourth of the companies in the survey say they will be spending more in Web application security this year than last; 36 percent expect their spending to stay the same.
But most aren't investing a lot in developers with security know-how. Around 40 percent of the respondents have less than 2 percent of their developer staff dedicated to security, according to the report."