A study has revealed that a quarter of applications had a security breach serious enough to be considered ‘critical' or ‘high impact'.
Corsaire's six year ‘State of the Web' report identified security issues and vulnerabilities in 100 per cent of the applications assessed through hundreds of checks relating to around eighty application security control categories.
The finding does not mean that every application had exploitable issues violating security, but rather that none conformed to all of the security controls that were defined and used for testing.
Areas examined as part of the study included authentication, data validation, session management, authorisation (access control), and data transport security. Just under a quarter of the breaches discovered were regarded as having a critical or high impact on application security, representing a significant likelihood of data loss or other compromise. The remaining three quarters were split between medium and low impact.
Low and medium-impact findings were identified almost universally, but high-risk issues were identified in between 71 per cent and 97 per cent of applications each year (including 92 per cent of those tested so far in 2008). While only five per cent were critical, these were present in up to half of the applications assessed each year.
Martin O'Neal, managing director of Corsaire, said: “It seems that a lot of companies are still in the dark when it comes to application security, and yet web-based applications are being faced with more and more sophisticated attacks all the time.
“What our research shows very clearly is that a lot of companies really need to protect themselves now, instead of just waiting for disaster to strike. Having reviewed our data on a wide range of organisations, it seems that no one is immune to some degree of danger in this area.
“Despite the fact that increasingly complex applications will carry more associated risks, these vulnerabilities can often be eliminated through a more structured approach to security during development.
“In fact, by employing rigorously specified security requirements, backed by developer education and regular security testing checkpoints, businesses can effectively define what security is – and what is required of the organisation – and can therefore help to ensure that personnel have both the understanding and skills required to deliver improvements in this area.”