A new study has highlighted the poor state of web application security. Positive Technologies tested various web applications, and found that every single one contained vulnerabilities, with 52% containing high-severity weaknesses.
The Web Application Vulnerabilities report also found that:
- 48% of tested applications are vulnerable to unauthorised access;
- 44% of applications placed personal data at risk;
- 70% of applications are susceptible to leaks of critical information; and
- 17% of applications contained vulnerabilities that would allow an attacker to take full control over the application.
Almost two thirds of detected vulnerabilities (65%) were the result of application development mistakes, such as coding errors and misconfiguration. Although it’s tempting to blame one or two people for a mistake, and half-heartedly address the issue by sacking or disciplining them, this isn’t how cyber security should work. People make mistakes, and organisations should create a layered defence system to spot errors before it’s too late.
Organisations’ defences should include regular web application penetration tests, which find security problems in websites and web applications, and provide ways to mitigate the risk.
Penetration testing is essentially a form of controlled hacking in which a tester, working on behalf of the organisation, looks for vulnerabilities in the same way as a cyber criminal would. Testers review server systems, static content and server-side programs that implement the application logic to identify insecure development practices in the design, coding and publishing of software.
Penetration testers will then provide recommendations for improving the organisation’s security posture. Depending on the vulnerability, they might advise adjusting the organisation’s processes to keep untrusted data separate from commands and queries, developing strong authentication and session management controls or separating untrusted data from active browser content.
You can learn more about penetration testing and the types of test we offer on our website. IT Governance offers fixed-price and bespoke CREST-accredited penetration tests, and all our tests are followed by reports that rank and rate vulnerabilities in your systems.