Did you know that your applications are the most vulnerable part of your IT operations?
These days, problems with apps — many of them web-based apps — account for the majority of information security breaches. Over the last year or so, and going forward, application-level attacks have emerged as the preferred vector for gaining access to sensitive (and valuable) data. What’s more, the threats are becoming increasingly acute as complex web apps, as well as mobile apps, play ever greater roles in our business and personal activities.
App vulnerabilities for sale — cheap at the price?
One recent study , based on 10 years of data, reveals that zero-day vulnerabilities not yet known to software developers are for sale publicly at prices ranging on average from $35,000 to $160,000 per vulnerability. Over the last three years, the study notes, at least 58 exploitable flaws in Microsoft, Apple, Oracle or Adobe products were available for purchase on any given day. Further, the study found that an average of 151 days passed from the time a vulnerability could be bought until the affected vendor released a patch
Such sluggishness of response is pretty universal. For instance, SQL injection surfaced in 1998 and remains the top threat to apps today. In the last 15 years, according to one security expert, SQL injections have been responsible for 83% of breaches.
2013’s top 10 app threats
For a sense of the scope of these stubborn, relentless threats, I offer the Open Web Application Security Project’s (OWASP) 2013 Top Ten Application Security Risks , which analyzes more than half a million vulnerabilities in thousands of applications used across hundreds of organizations:
2013 Top 10 Web Application Security Risks
[table id=5 /]
Source: OWASP Top 10 — 2013: The Ten Most Critical Web Application Security Risks
Now for the good news …
I’m happy to report that there’s some good news here too: Our ability to conduct thorough, effective, no-hassle application scanning has never been better — and it’s never been easier to deploy, thanks to customizable application security scanning services like those offered by Quest.
In my next post, I’ll explore some of the capabilities you should look for in an application security scanning service and lay out a few suggestions about how to keep your apps, data and business safe and thriving.
Learn more about Application Development Services by Quest