Another day another web application breach hits the news. This time ITWorld reports Hackers steal user data from the European Central Bank website, ask for money. I can’t say that I’m surprised. Although vulnerabilities (SQL Injection, cross-site-scripting, etc.) are easy for attackers to detect and exploit, they are still very common across many web applications. The survey that we just completed with IDG highlights the problem – 83% of respondents said it was critical or very important to close their gaps in assessing web applications for security issues. However, a typical enterprise:
- has 804 internally developed web applications
- plans to develop another 119 web applications with internal development teams over the next 12 months
- tests only 38% of those web applications for security vulnerabilities
And these numbers don’t include all the web applications that are sourced to third-party software vendors or outsourced development shops. The assessment methodologies for finding web application vulnerabilities aren’t a mystery – we all know about static and dynamic testing. It’s the scale at which web applications must be found, assessed for vulnerabilities and then remediated that makes this difficult for large enterprises. Think about it, 119 applications over the next 365 days means a new web application is deployed on an enterprise web property every 3 days. Is it any wonder that web application breaches keep happening?