There are about 92 million sites on the World Wide Web, according to industry estimates. How many of them have been audited by a third party for application security vulnerabilities?
"I'd say maybe 10,000," says Jeremiah Grossman, CTO and founder of WhiteHat Security, who also is a member of the board for the Web Application Security Consortium. "And that's pushing it."
All over the industry, application security experts are warning IT and security departments that the gap is growing between today's rapidly-evolving app-oriented exploits and the still-nascent defenses that most enterprises have in place. Yet, so far, most enterprises are moving at a snail's pace.
"I think a lot of people just don't understand the scope of the problem," says Mike Weider, CTO and founder of Watchfire, which makes one of the industry's oldest and best-selling tools for applications scanning. "In some cases, they have 1,000 Web apps or more, and those applications are changing daily. They may have checked for vulnerabilities in a few of those apps, but any of them could lead to a breach."
Industry statistics indicate that the experts are not just whistling Dixie. WhiteHat Security estimates that seven or eight out of every ten Websites are hosting at least one serious vulnerability that could put its data at risk. Gartner has estimated that figure at closer to 90 percent.
Attackers, meanwhile, have spotted the weak spot and are going after it. Symantec currently estimates that about 78 percent of all attacks are taking place at the Web application level. Last month's report from Mitre, which tracks common vulnerabilities and exposures across the Web, indicates that application-level attacks such as cross-site scripting and SQL injection have supplanted exploits such as buffer overflow as the favorite vectors for Web attacks. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)
Yet most enterprises still do not own a Web application firewall, and many don't yet do any application scanning, experts say. Many enterprises have never had a third party audit their apps for vulnerabilities -- in fact, many large enterprises don't even know how many Websites they operate, they say.
"One of the first things [WhiteHat] does when we go to a client site is find out where the sites are and who controls them," Grossman says. "A lot of companies are surprised to see how many sites they've got and how many Web apps they are really supporting."
Once they've got a handle on the scope of the problem, many organizations are unsure about how to solve it, experts say. The chief problem is there is no single tool that can find and fix all of the vulnerabilities. Web application firewalls protect against some threats, but they also let others through. App scanning tools can find many vulnerabilities, but they are far from 100 percent effective.
"There's a lot of detection that can only be done manually at this point," says Grossman. And many organizations are still unsure whether this sort of detection should be done by the IT security staff or by the developers who wrote the applications in the first place.
"Ultimately, you want to build the vulnerability scanning and testing phase into your development process, just as you do [quality assurance]," Weider says. "That's the only way to ensure that you're checking all of the applications that you're putting out there."
Realistically, however, enterprises should be more concerned about the applications they've already deployed than about revamping their QA process. "There are 92 million sites already out there," Grossman says. "It makes more sense to start backwards and check the apps that are exposed."
Enterprises should attack the problem first by identifying all their sites and the applications running on them, experts say. An audit by a third-party expert and a scan by a vulnerability scanning tool can give the enterprise a starting point for remediation. But even taking both of those steps will not eliminate all of the vulnerabilities.
"It's going to take some time to ferret out all of the vulnerabilities," Grossman says. "That's one reason why organizations need to get started."
Tim Wilson, Site Editor, Dark Reading