In a recent research survey of 200 security professionals, ESG discovered that 79% of enterprise organizations (i.e., more than 1,000 employees) have experienced web application security attacks over the past year.
This alone illustrates hacker activity and dangers associated with the current threat landscape, but that’s just the tip of the iceberg. ESG also probed further into specific types of web application security attacks to see if there were any patterns. It turns out that the cyber adversaries are also attacking a multitude of web application features and functions. Enterprises have experienced attacks in the following areas:
- 27%: Application authentication
- 25%: Attacks on sensitive information
- 25%: Configuration management
- 25%: Application authorization
- 21%: Session management
- 18%: Parameter manipulation
- 16%: Auditing/logging
- 16%: Exception management
- 16%: Input validation
As the old saying goes, “the cybersecurity chain is only as strong as its weakest link.” Clearly the bad guys are intent on probing web applications until they find and exploit some application vulnerability.
The good news is that I do see more emphasis on secure software development lifecycles, developer security training, and web application security testing. The bad news is that these changes appear to be moving at a glacial pace. Additionally, there is still an organizational and cultural gap between software developers and security professionals that you could drive a truck through.
We are developing a lot more web and mobile applications but we aren’t doing enough to make them secure. The bad guys know this all too well. Unless we address software security in a meaningful and holistic way, all of the next-generation firewalls, Advanced Malware Detection/Prevention (AMD/P) gateways, and big data security analytics tools in the world will provide increasingly marginalized protection.