Imperva’s Application Defense Center Releases Report “How Safe Is It Out There?”
FOSTER CITY, CA – June 28, 2004 – Imperva, Inc., the world’s leading provider of advanced application security solutions, today released the results of a four-year study into the vulnerability of public and private web applications. A key section of this report asserts that periodic penetration testing alone is not an effective means of reducing risks associated with Web-enabled applications. Analysis of penetration retest data shows that despite periodic penetration testing and subsequent “fixes,” the inherent risk to an application does not decrease, but remains constant and may even increase over time.
The retests conducted by Imperva’s Application Defense Center (ADC) revealed that “high” or “critical” vulnerabilities in applications actually increased from 89% to 93% after first time tests. In more than 50% of the retests, completely new categories of vulnerabilities appeared.
The report offers multiple explanations for these findings:
- After penetration testing developers did not fix the identified vulnerabilities either because they did not know how to fix them, or because they ignored the results of the test
- New vulnerabilities were introduced by developers during the time between tests – either as part of the normal evolution of the Web site, or as part of an attempt to fix vulnerabilities identified during the penetration test.
- With additional time and the experience of the first test, the penetration testing team was able to find additional vulnerabilities that existed but were undetected during the first test.
“Security-minded software development and diligent testing of applications are necessary components to address compounding application vulnerabilities,” said Shlomo Kramer, CEO. “However, to actually improve security over time, organizations need to deploy application security solutions and continue to use penetration testing to measure their efforts.”
Application-level attacks on the rise
Application-level vulnerabilities leave the door open to costly external Web attacks, internal database breaches, and worms.
“Application-level security threats continue to rise steadily in terms of volume and impact,” said Mark Bouchard, senior program director at META Group, a leading provider of information technology research, advisory services, and strategic consulting. “Relying solely on software vendors to fix related vulnerabilities is a flawed strategy, particularly as the time for the bad guys to develop their attacks is clearly shrinking. The result is the need for controls that provide protection not only at the application layer, but also on a continuous, always-on basis.”
“About How Safe Is It Out There?”
The study detailed in this report, which ran from 2000-2003, summarizes the analysis of over 300 application penetration tests of public and private sector Web applications. This resulting white paper provides unique insight into the frequency, types, risk and consequences of vulnerabilities that exist across the test group of financial, government, telecommunications and information technology organizations. Read full text of study
About Imperva
Imperva is the leader in application data security and compliance. Leading enterprise and government organizations worldwide rely on Imperva to prevent data theft and abuse, and ensure data integrity. The company’s SecureSphere products provide data governance and protection solutions that monitor, audit and secure business applications and databases. For more information, visit www.imperva.com
# # #
Imperva and SecureSphere are trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.
Editorial Contact
Marc Gendron
(781) 237-0341
marc@mqpr.net