According to the 2009 Web Application Security Report from NTA Monitor, 90% of all web applications have at least one medium risk vulnerability and 27% have at least one high risk vulnerability. Apparently the most common vulnerabilities are those which involve SQL injection, cross-site scripting and cross-request forgery. One data security specialist told DaniWeb that not only should this come as no real surprise, but nor should the fact that the problem is steadily getting worse instead of better.
Brian Contos is the Chief Risk Strategist at Imperva, and he points out that the high risk category percentage is up from 17% last year, while the medium risk number has risen from 78% a year back. "Although this comes as no surprise to us" Contos says "it is an appalling indictment on the software audit and control operations in most companies. With NTA spotting an average of 13 vulnerabilities per test, it's clear that IT departments really do need to pull their socks up in terms of testing and auditing of their software development processes."
Indeed, according to Contos, NTA Monitor's report proves what he has been saying for some time: few organisations have the in-house resources to perform regular software testing and updating a clearly-stated set of application security policies. Worse, even fewer do as NTA Monitor suggests and include security service level agreements into their contracts with Internet or managed service providers.
Maybe some of the recently projected increase in security budgets for 2010 should be diverted to ensuring that web application developers do a better job of protecting those who use their products?
If you are a web app developer, how much of a priority is security in the overall scheme of things?