This report helps CIOs & CISOs understand the paradigm shift in the web application security domain
Indusface, a leading provider of application security solutions for web and mobile applications, has outlined some eye-opening website security statistics from India and the reasons behind it. Best practices in application security are often incredibly confusing and time-consuming in the Indian context. Indusface report has published a report to guide CIOs and CISOs to understand the paradigm shift taking place in the web application security domain.
Indusface report will help organizations understand the gradual changes in the web application security domain.
1. Database breach is easier.
According to the data that Indusface had collected from more than 2.9 million scans and 4.5 billion ethical hacks, their experts are certain that it’s easier for hackers to infiltrate into the databases. There’re two reasons for it. Firstly, SQLi vulnerability was found on more than 90% of the application, which provides direct access to a database where attackers can read and edit files. Secondly, system administrators rarely know about it. Given that most-medium sized organizations in our country are unable to detect SLQ Injection attacks, there are chances that many of them are bleeding sensitive data without knowledge.
2. Cross-site scripting is abundant.
Although XSS is not really one of the most pressing issues for most companies, it is as common as SQLi. Approximately 97% of the tested websites had XSS and chances are that they did not really consider it as a severe issue. However, XSS can cause real problems for businesses by not only putting their servers at risk but also users.
3. Most organizations are not testing their applications.
According to the Indusface research team, 7 out of 10 websites are hacked at the application layer, but overemphasis on network security and lack of awareness of application security has made many companies overlook the risks entirely. Most of them do not even know about OWASP Top 10 vulnerabilities, and don’t know how they can be used to breach into the system.
4. Application patching is procrastinated.
If it isn’t broken, why fix it? Probably one of the primary reasons why most companies overlook application layer vulnerabilities is that these are difficult to fix. E-commerce and other competitive industries have to frequently make changes, where customer experience is their top priority. On the other hand, banking, insurance, and other finance companies aren’t too keen to change things as it involves complete planning and auditing.
Mr Venkatesh Sundar, CTO at Indusface says, “Application security is a very niche branch of information security. It requires specific understanding of how Layer 7 interacts over the World Wide Web and also other communication layers within the organization network.”
State of Application Security in India
Sub-continental organizations need to take a closer look at the local scenario of problems rather than reading about what’s happening with global companies like Target, Sony, and Alibaba.Organisations in India need concrete facts whether the risks are real even for companies out here, and if they are, what are the ways that hackers can breach the system which inspired Indusface to work on ‘State of Application Security’ Infograph.’
Here are some of the key India-centric facts
91% of the websites that IndusGuard web application scanner tested had SQL Injection vulnerability
97% were prone to Cross-Site Scripting attacks
SQL Injection and Sensitive Information Leakage by web application breach have increased significantly
More than 10 million internet shoppers, growing yearly by 30%, luring cybercrimes
185 million active mobile internet users with 243% growth, a platform which is highly vulnerable
58% attacks are for financial gains and 42% by foreign governments
155. GOV and NIC domains were hacked last year
32,323 public Indian website were hacked in 2014 with 14% Y-o-Y increase
The Future of Web App Security
“Attacks on Layer 7 are definitely going to increase primarily because of its public-facing nature. We have already witness giants of the West falling to these breaches and it’s about time to raise the concern bar before something major happens in the subcontinent.” adds Mr Sundar.
While enterprises should adopt application security for obvious reasons, small and medium business cannot shy away from it either. They have to begin at the basic level at least. But more importantly, the government websites that handle defense and other sensitive data should test and protect web applications as the cross country wars heat up at a global scale.