Critical Web applications vulnerable

Johannesburg, 02 Sept 2009

A recent application security survey shows most organisations in SA are not able to comprehensively test all of their business critical Web applications for security vulnerabilities.

The Application Security Survey 2009, conducted by ITWeb and HP Software + Solutions, questioned executives from organisations in SA with between three and 10 000 employees. These executives consisted mostly of management in the financial services, telecoms, and business services sectors. The survey attempted to probe various aspects of Web application security in local organisations.

Of the respondents, 64% said comprehensive testing of business critical Web applications for security vulnerabilities is not possible. Only 45% pointed out that their organisations are required to conform to security compliance standards, like payment card industry (PCI) standards.

Slightly more than half of the respondents (53%) said their organisations have security experts checking these applications before they go into production. Most respondents revealed their organisations do not do any application penetration security testing in development, quality assurance, or after changes in production. Of these, 61% said the testing is currently being done manually and 39% said automated tools are used when testing these applications.

Some 66% of the respondents noted their organisations have a developing and testing environment to progress the application through its life cycle, with 34% saying they do not have such an environment. Some 72% of participants surveyed revealed that these applications are thoroughly tested before being moved into production. The application might not necessarily be checked by security experts.

The survey also revealed that 53% of respondents say their applications are used internally, while 47% say these applications are used by both internal and external users, or have partners accessing them.

Furthermore, 80% of respondents said these applications have Web interfaces, while 75% noted they have dedicated client applications that communicate to backend servers.

Mission critical applications in the organisation are provided by both vendors and developed in-house, according to 39% of the respondents. Some 28% said any application that is critical to the running of the business is developed in-house, while 33% said those applications are supplied by vendors.