Risk: Informational
NTA's Annual Web Application Security Report 2007 has discovered that 90% of UK organisations' websites are insecure. A further 33% of websites have been found to contain critical vulnerabilities that are widely known and actively exploited by hackers.
The report analyses data gathered from web application security tests undertaken on behalf of a variety of organisations, including financial institutions, legal practices, universities and local government bodies, during 2006.
Roy Hills, Technical Director at NTA Monitor, says: "Web applications are accessible 24 hours a day, 7 days a week and control sensitive data such as customer details, credit card numbers and proprietary corporate data. With an ever increasing number of people using the Internet for personal business such as banking, bill payments and shopping, and as a core part of their working lives in terms of remote working and resource sharing, it's high time that organisations take greater steps towards protecting these revenue generating and efficiency enabling systems."
As the number, size and complexity of web applications increases, so does the risk exposure. Attackers focusing on web application security problems are actively developing tools and techniques for exploiting them. Three key recommendations that organisations can follow to reduce their risk are:
- An account lockout mechanism should be in place to lock out accounts permanently or temporarily, to help prevent attackers from being able to brute force user accounts
- META characters such as single quotes, double quotes and semi colons should be disallowed in order to minimise the threat of SQL injection attacks, which are a high risk vulnerability
- In order to help protect against keystroke loggers, the mouse and keyboard should both be used during login processes, for instance, users should be asked to use drop-down boxes or radio buttons as well as keying in details
The full report is available now from NTA Monitor by emailing marketing@nta-monitor.com