Analysis of Web Site Penetration Retests Show 93% of Applications Remain Vulnerable After “Fixes”
FOSTER CITY, CA – June 28, 2004 – Imperva, Inc., the world’s leading provider of advanced application security solutions, today released the results of a four-year study into the vulnerability of public and private web applications. A key section of this report asserts that periodic penetration testing alone is not an effective means of reducing risks associated with Web-enabled applications. Analysis of penetration retest data shows that despite periodic penetration testing and subsequent “fixes,” the inherent risk to an application does not decrease, but remains constant and may even increase over time.
The retests conducted by Imperva’s Application Defense Center (ADC) revealed that “high” or “critical” vulnerabilities in applications actually increased from 89% to 93% after first time tests. In more than 50% of the retests, completely new categories of vulnerabilities appeared.
The report offers multiple explanations for these findings:
* After penetration testing developers did not fix the identified vulnerabilities either because they did not know how to fix them, or because they ignored the results of the test
* New vulnerabilities were introduced by developers during the time between tests – either as part of the normal evolution of the Web site, or as part of an attempt to fix vulnerabilities identified during the penetration test.
* With additional time and the experience of the first test, the penetration testing team was able to find additional vulnerabilities that existed but were undetected during the first test.
“Security-minded software development and diligent testing of applications are necessary components to address compounding application vulnerabilities,” said Shlomo Kramer, CEO. “However, to actually improve security over time, organizations need to deploy application security solutions and continue to use penetration testing to measure their efforts.”
Application-level attacks on the rise
Application-level vulnerabilities leave the door open to costly external Web attacks, internal database breaches, and worms.
“Application-level security threats continue to rise steadily in terms of volume and impact,” said Mark Bouchard, senior program director at META Group, a leading provider of information technology research, advisory services, and strategic consulting. “Relying solely on software vendors to fix related vulnerabilities is a flawed strategy, particularly as the time for the bad guys to develop their attacks is clearly shrinking. The result is the need for controls that provide protection not only at the application layer, but also on a continuous, always-on basis.”
“About How Safe Is It Out There?”
The study detailed in this report, which ran from 2000-2003, summarizes the analysis of over 300 application penetration tests of public and private sector Web applications. This resulting white paper provides unique insight into the frequency, types, risk and consequences of vulnerabilities that exist across the test group of financial, government, telecommunications and information technology organizations.
About Imperva, Inc.
Imperva is the world’s leading provider of advanced application security solutions. The firm’s SecureSphere appliance family delivers the industry’s only total application security solution by protecting enterprise application assets from all critical threats including targeted external Web attacks, internal database breach, and worms of any origin. The company also operates the Application Defense Center, a research and professional services organization dedicated to building the most advanced application security knowledge base in the world. Led by Shlomo Kramer, a Check Point Software Technologies founder, Imperva is privately funded by Accel Partners, Venrock Associates, and US Venture Partners.