Why does web application security continue to fail so dismally?

A recent survey by the Ponemon Institute of almost 600 IT professionals reveals that 98% of organisations have had their web applications compromised over the past 12 months.

54% of participants in the Ponemon Cost of Web Application Attacks survey were from large organisations with more than 1,000 employees. 75% of our customers in this bracket tell us that they recognise the need for security enhancement, but few have provisioned budget against this.

Why? Because most web applications have vulnerabilities and re-developing and testing them can be a costly and time consuming process….. or so people think!

Unbeknown to many, installing an in-line web application firewall, such as a Citrix NetScaler is a highly effective and cost efficient way to prevent the exploitation of vulnerabilities with no re-development costs.

We’ve used this NetScaler fix in our own business and with hundreds of businesses across the UK, all of which have successfully mitigated the risks of an application with a cross site scripting vulnerability in an environment where data security is paramount.

According to the research the primary reasons for not testing more web applications are:

• uncertainty over how much to test
• senior management doesn’t understand application security or see its need
• no budget
• no expertise

Less than half of web applications are tested for vulnerabilities

The survey also shows that web application security is considered at least as important or more important than other security measures. Data protection, prevention of revenue loss and compliance are cited as the three most important reasons to secure web applications.

Despite the fact that testing is ranked high in order of importance, 57% of respondents test less than half of their web applications, with only 32% saying they test more than three quarters.

Vulnerability scans and penetration tests are not conducted frequently

In addition, 45% admitted that testing is not conducted regularly. Only 13% of organisations tested their web applications every time they made code changes, while only 15% said they test their applications on a monthly basis.

Regular vulnerability scans and penetration testing should be a fundamental part of any organisation’s monthly and quarterly security review.

These tests ensure that you can identify and fix vulnerabilities and security holes as quickly as possible and that your cyber controls are working as effectively as they need to. Contact us if you’re not sure how to do this and we can walk you through the process.