Mitigating the 'Unfab Four' Threats to Web Application Security

Michael Vizard
Slide Show

Application Delivery May Be Jeopardizing Security

Study finds that the failure to invest in secure software delivery puts businesses at risk.

When it comes to IT security, an ounce of prevention is obviously worth a pound of cure. The problem is that no one is quite sure where to apply the prevention.

That's what makes a recent Web Application Attack Report from Imperva, a provider of database and application security tools worth noting. We all know by now that Web applications are the primary targets of most security attacks. Imperva took a look at 30 Web applications that experienced more than 10 million individual attacks during a six-month period. What they found is that a huge percentage of the attacks came as a result of four classes of threats: SQL injection at 23 percent, Cross-Site Scripting at 36 percent, Remote File Inclusion at 4 percent and Directory Traversal at 37 percent. Not surprisingly, the report found that these attacks were often used in combination to scan for vulnerabilities and then exploit them.

Imperva CTO Amichai Shulman describes these threats as the "Unfab Four" in that they are the most popular methods of compromising a Web application. And just to make matters more interesting, the report finds that these applications were attacked about 27 times per hour on average - and some suffered 25,000 attacks per minute or seven per second when they came under sustained automated attack.

Clearly, these 30 applications are among the most popular on the Web, so naturally they are going to attract a lot of hacker attention. By the same token, these applications are also probably among the best-defended applications on the Web, which brings us to an interesting question: How long will it be before hackers decide to focus these attacks on targets that are not as well defended, especially if they are having little success with bigger targets?


It's pretty clear they have the means to automate these attacks. It's also pretty clear that, at least for the moment, they have three or four favorite means of launching those attacks. Beefing up your security to deal with these four specific threats isn't going to guarantee that your applications won't get compromised, but it should go a long way to making sure that your application is not so easily compromised.

The report also notes that of the $27 billion spent annually on IT security, only about $500 million of that goes to applications security. Consider yourself forewarned.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.