Akademik Veri Yönetim Sistemi
SSRN, cilt.0, ss.1-32, 2025 (Hakemli Dergi)
Although web application Security is a major concern, there is a considerable difference between those recommended best practices for securing web applications and their application by organizations. The purpose of this research is to evaluate the extent to which best practice recommendations are being followed in configuring web application security in Türkiye. A sequential mixed-methods approach was used in the research process. First, a total of 2,463 of the most visited domains in the .tr top-level domain space were evaluated via the Mozilla Observatory tool. The data from the evaluation resulted in an average score of 27.19, while 53% of all the domains tested received a failing 'F' grade. Most often, important security-related elements such as Content Security Policy headers were either non-existent or mis-configured.In the next step, a qualitative case study was conducted on a leading organization that had received an 'A+' security grade. Interviews with the organization's Chief Security Officer identified that the organization views regulatory requirements as opportunities to improve their internal processes rather than as burdens. The success of the organization was directly related to having a strong security culture, actively engaged senior management, and incorporating security as part of their daily development processes.The frameworks that were utilized in the analysis include Institutional Theory, Resource-Based View, and the Technology-Organization-Environment Framework to provide a conceptual model of how external influences, internal resources/capabilities, and managerial perceptions/direction combine to produce security results. The results of the study identify the need for increased adoption of both technical solutions and organizational and cultural practices to enhance web application security.