An increase in risks and vulnerabilities in web applications has been described as 'no surprise'.

Brian Contos, chief risk strategist at Imperva, claimed that news that more than a quarter of all web applications have a high risk of security vulnerabilities comes as no surprise, nor is the fact that the problem is getting worse.

The 2009 annual web application security report from NTA analysed data gathered from web application security tests performed for a wide range of industry sectors across a 12-month period. Of the applications tested by NTA, 27 per cent contained at least one high-risk issue compared with 17 per cent in the previous year.

Contos said: “Although this comes as no surprise to us, it is an appalling indictment on the software audit and control operations in most companies. With NTA spotting an average of 13 vulnerabilities per test, it's clear that IT departments really do need to pull their socks up in terms of testing and auditing of their software development processes.”

He claimed that the amount of vulnerabilities detected proves what Imperva has been telling its clients for some time, namely that few organisations have the in-house resources to perform regular software testing and updating a clearly-stated set of application security policies.

Also, even fewer companies do as NTA Monitor suggests and include security service level agreements into their contracts with internet or managed service providers.

Contos claimed that staff training is central to application auditing and testing, and, since few organisations have the time or skills required, the key to the problem is effective outsourcing.