The Web Application Threat Landscape Is Getting Worse

Hackers growing more creating, attentive, and persistent

ESG just published a new research report titled, Web Application Testing Tools and Services. The report is comprised of data collected in a survey of 200 North American-based security professionals working at enterprise organizations (i.e. more than 1,000 employees). In one of the questions, security professionals were asked a simple question: How would they compare the web application threat landscape today to two years ago? It turns out that things are going downhill; 21% of respondents say that the web application threat landscape is “significantly worse” than it was 24 months ago, while another 36% believe that the web application threat landscape is “somewhat worse” than it was 24 months ago. Why the glass half-empty perspective? Security professionals tell ESG that web application attacks continue to grow: 1. More persistent. For example, 18% of respondents say they face web application attacks “several times per week” on average. Furthermore, these are just the serious and more sophisticated application layer attacks. Security professionals still have to deal with basic script kiddies and network-layer nuisances. 2. More creative. Yes, hackers still rely on tried-and-true SQL injections but there are more attacks on authentication, session management, input validation, etc. 3. More responsive to the news. More than three-fourths of organizations use Java for web application development. Many of these firms report a rapid increase in attack volume when Java security vulnerability news was widely reported in January 2013. Web application threats are also exacerbated by the increased size of the attack surface. Many organizations are developing and deploying new web applications as quickly as they can. Software security isn’t sexy but it is an increasingly important requirement. HP and IBM get this and so do independent players like Denim Group, Imperva, Veracode, and White Hat Security. Unfortunately, many CISOs and software developers continue to minimize secure software development and testing. When this happens, we are all vulnerable.

New! Download the State of Cybercrime 2017 report