Web applications fail security tests

Only three per cent of web-based applications are secure enough to resist hackers, according to new research.

Tests conducted on behalf of application testing specialist the Sim Group showed that 97 per cent of web sites have 'serious security flaws', leaving data and systems open to abuse.

If the situation continues, trust in online services could be seriously damaged, deterring already nervous consumers from buying online.

Businesses must test web-based applications for security flaws with the same stringency they apply to hardware and networks, says Sim Group managing director Bob Bartlett.

'This figure doesn't surprise me, and it's probably something to do with head in the sand syndrome,' he said.

'People that have a web site and are putting any volume through it, are looking at it and thinking, "maybe there's a bit of fraud going on, but not to worry because I'm still making a profit". People are ignoring the problem,' he said.

Tests of 300 web applications were undertaken by web security specialist Sanctum. Of the 97 per cent of serious security flaws identified, almost 40 per cent would allow malicious intruders to gain full control and access to information.

Around 23 per cent of flaws constituted a privacy breach, while 21 per cent would allow electronic shoplifting.

About five per cent of the flaws would allow intruders to modify information, and a further five per cent allowed malicious users to hijack transactions. Around two per cent of the holes were so serious the web sites could have been deleted.

Bartlett says that more use of penetration testing would help to dispel consumer fears.

'There's no doubt that testing does increase trust,' Bartlett said. 'The more testing you do, the more trust you have in the thing you are using. You are then communicating that trust to your customer.'