Web applications under attack for a third of the year

Web applications may face more than 2,700 attacks per year, according to research by Imperva.

It said that monitoring 50 web applications saw annual attack levels of 274 times a year, with one application experiencing more than 2,700 attack incidents. Its Web Application Attack Report also found that the average attack incident for the observed web applications lasted seven minutes and 42 seconds, but the longest attack incident lasted an hour and 19 minutes.

Amichai Shulman, CTO at Imperva, said: “These findings indicate a significant difference between an average web application attack incident and the upper limit. We believe that organisations that are only prepared for an average attack incident may be overwhelmed by larger attack incidents, like a flood bursting through a levy.

“The cyber battlefield looks a lot more like a border keeping mission than total war – most of the time very little happens, but every once in a while there's an outbreak of attacks. Regardless of the frequency of attacks and peaceful periods, we believe organisations need to be prepared for these bursts of activity during attack incidents.”

The report also said that applications can expect attack incidents for a third of the year (120 days per year), some targets experience attacks for 292 days of the year or nearly 80 per cent of the time. It also claimed that the intensity of attacks is increasing, with some applications typically seeing some serious attack action roughly every third day for just a few minutes.

Rob Rachwald, director of security strategy at Imperva, said: “Chances are most companies are totally unaware of the application attacks they experience. Why? Part of the answer came out on July 30th, when Gartner released the Forecast: Security Infrastructure Worldwide, 2010-2016, 2Q12, featuring security spend figures for the security industry.

“In 2011, nearly $56 billion was spent on security consulting, hardware and software. How much was spent to secure applications? Not much. In fact, Gartner didn't even bother to break out application security, instead grouping it into the ‘Other Security Software' category, which was just 6.6 per cent of total spend. By contrast, network firewalls and IPS, which are completely blind to the attacks we describe in our report, received the bulk of the spend.”

Sign up to our newsletters