Why web application security continues to fail dismally

A survey of almost 600 IT professionals reveals that 98% of organisations have had their web applications compromised over the past 12 months. Only 2% of respondents said their web applications had not been compromised.

54% of participants in the Ponemon Cost of Web Application Attacks survey were from large organisations with more than 1,000 employees.

Furthermore, despite how frequently web applications are compromised, on average, less than half are tested.

Low rates of testing due to lack of knowledge and leadership support

The primary reasons for not testing more web applications were:

  • uncertainty over how much to test
  • senior management doesn’t understand application security or see its need
  • no budget
  • no expertise

The survey shows that web application security is considered at least as important, or more important than other security measures. Data protection, prevention of revenue loss and compliance are cited as the three most important reasons to secure web applications.

Less than half of web applications are tested for vulnerabilities

Despite the fact that testing is ranked high in order of importance, 57% of respondents test less than half of their web applications, with only 32% saying they test more than three quarters.

Vulnerability scans and penetration tests are not conducted frequently

In addition,  45 % admitted that testing is not conducted regularly. Only 13% of organisations tested their web applications every time they made code changes, while only 15% said they test their applications on a monthly basis.

Regular vulnerability scans and penetration testing should be a fundamental part of any organisation’s monthly and quarterly security review. These tests ensure that you can identify and fix vulnerabilities and security holes as quickly as possible, and that your cyber controls are working as effectively as they need to.

‘Fixing compromised web applications can take days or weeks’

The researchers found that on average, (66%) said it takes days (44%) or weeks (22%) to fix one compromised web application whenever a vulnerability is found.

Web application attacks are costly

The average total cost per year to deal with attacks against web applications is approximately USD$3.1 million.

Web application firewalls (WAF) have not been implemented correctly

The report states that “while only an in-line WAF deployment can actually stop attacks, respondents believe an out-of-line deployment is most effective in stopping malware with known signatures and zero-day attacks.”

This report highlights once again that companies are simply not realising the importance of regular tests, despite rising costs and an increased frequency of breaches.

Penetration testing is an effective way of establishing what attackers can exploit before an organisation’s security is able to detect and respond. It also provides a sound basis  for information security strategy and resource allocation: by analysing the effectiveness of existing security solutions, penetration tests can offer a solution to justify future investments.

Test your web applications with IT Governance for less than £2,000.  Fixed-price penetration tests, conducted by skilled professionals, will identify potential vulnerabilities in your websites and web applications, and provide recommendations for improving your security posture, supporting your security programme, and helping you comply with the PCI DSS and ISO 27001. More advanced penetration tests that exploit vulnerabilities are also available.