The Ponemon Institute survey, commissioned by security vendors Barracuda Networks Inc. and Cenzic Inc., polled 637 IT and IT security practitioners on their views of Web application security. While 74% said Web application security is equal or more critical to other security issues, only 36% said their organization has adequate governance and policies over the use of insecure Web applications by end users across the enterprise.The main reasons for not testing their Web applications are a lack of budget and expertise.
Web applications have been a favorite target of attackers in recent years as they look for ways into company networks. Automated toolkits that make it easy to look for Web application vulnerabilities have fueled the increase in attacks. According to the survey, attempts to target website vulnerabilities are commonplace. Seventy-three percent of organizations had insecure Web applications hacked at least once in the last two years.
Attackers are targeting the same kinds of old-school vulnerabilities, according to studies from security vendors keeping track of attacks and firms that specialize in Web application security. SQL injection errors are the most common issue in Web applications, followed by cross-site scripting errors, input validation flaws and code injection errors. In its Top 25 List of Dangerous Coding Errors, the SANS Institute calls for better software development practices to address programming errors.
Respondents to the Ponemon survey feared website attacks the most, followed by network-layer attacks and attempts by cybercriminals to enter the company network via desktops, laptops or other connected devices. More than half (53%) are relying on a Web hosting provider to secure their organization's Web applications.
"The main reasons for not testing their Web applications are a lack of budget and expertise," the Ponemon report found.
When asked what the economic impact would be if they were attacked, 47% estimated it could range from $100,000 to $500,000, $255,000 on average. "IT practitioners recognize attacks can be costly due to the potential for the loss of sensitive data, fines due to noncompliance with regulations and business disruption," according to the Ponemon report.
Organizations indicated they use network firewalls and conduct internal pen testing. Industry experts say it's a common misnomer that network firewalls can defend against Web application attacks. Web application firewalls and vulnerability scanning are more effective. More than half indicated they conducted Web application vulnerability scanning to test custom and outsourced applications. Those applications are primarily tested in development, the survey found. Only 13% of those surveyed indicated that they test their applications in production.
Data protection and compliance were cited as the top reasons to focus on Web application security. Experts say that some of the tools used to protect Web applications, including Web application firewalls, are driven by the Payment Card Industry Data Security Standards (PCI DSS).