Web app security still overlooked

Firms at risk from vulnerabilities in their web sites, according to new report

The need for stronger web application security was once again highlighted today by the release of new research that found 90 percent of firms' web sites contain vulnerabilities that could allow external users to disrupt web services or allow unauthorised access.

The Web Application Security Report 2007, by IT security consultancy NTA Monitor, also found that virtually all organisations tested had at least one low-risk issue that could provide attackers with information such as web server software type and make.

The research is the result of a year's work of testing with the firm's customers, according to NTA marketing manager Sarah Turner.

"The implications of these vulnerabilities will vary in criticality depending on the organisations and the type of sites they have," Turner added. "But some of our customers are banks and charities. If you're dealing with bank account details and credit card data [web app] security should be a high priority."

To improve their web application security, the report recommends that firms ensure their web servers are always up to date with patches.

It also advises that organisations make users use their mouse and keyboard when logging in, to mitigate the threat from keyloggers, and implement account lockout mechanisms after a limited number of failed attempts, in order to avoid “brute force” attacks on accounts.