Let that title sink in for a minute. A quarter of all web apps fail security miserably. That does not mean that the other 75% are secure; it means that the other 75% are less unsecure. For the 25%, it means that things are pretty hopeless.
For a quick cheat sheet on the OWASP top 10, click here.
The study continues to dissect the state of unsecurity:
- 69% of web applications have vulnerabilities that could lead to exposing sensitive data.
- 55% of web applications have cross site request forgery flaws
- Broken authentication and session management issues affected 41% of the applications
- 37% of the applications had security misconfiguration issues
- Function level access control is missing or ineffective in 33% of the web applications
- 80% of the applications tested contained at least one vulnerability
- And, the average number of vulnerabilities per application is 45.
So just a question – does it concern you that 80 percent of the web applications tested had at least one vulnerability and 25 percent had 8 out of the top 10?
The only way to know is to test for it. The best way to know is you have an independent third party test for application vulnerabilities. Think of this as a network penetration test, but for your applications.
While you can test the applications that your team writes, you can’t test applications on the Public Internet – the owner might frown upon it. As a business, if you have to use a particular web application as part of your business AND you have a business relationship with the web application owner (such as a supplier or a business partner), you can make completing a web application independent third party penetration test a requirement for doing business. This is easier for larger companies, but if you don’t ask, you won’t get it.
This also means that you should be careful about what applications that you use and what applications you enter sensitive data in. Since there is no equivalent to the “Good Housekeeping Security Seal”, although Underwriters Lab is working on one, there is no easy way to know which applications are secure and which ones are not.
Unfortunately, at the moment, there is no good solution to this problem. In almost all cases, developers have no liability at all – the user shoulders all of the responsibility. The best that I can say is be cautious.
Information for this post came from Help Net Security.