Based on research in 2012 by a California-based Web app security company, 99 percent of tested Web apps used by both the public- and private-sector are vulnerable to attack.

Cenzic, a California-based Web application security company, released these findings in its February 2013 report, which also details why these vulnerabilities aren't getting better.

Technology is available to help developers test their software during development and production so creators understand the flaws before releasing these products to public- and private-sector customers, but budget constraints often prevent them from completing these assessments.

“Ultimately I’ve heard many stories of organizations saying they don’t even want us to scan their applications because they don’t have the budget to fix what they find,” said Scott Parcel, chief technology officer of Cenzic, which offers such a tool.

This alarming trend has continued for a while, according to the company, which also found that 99 percent of Web applications tested in 2011 had vulnerabilities, though one significant difference was in the median number of vulnerabilities found per application: 13 vulnerablities found in 2012, down from 18 in 2011.

Cenzic touts these findings as a warning to information security and application development personnel that hackers can easily exploit what’s built.

Vulnerabilities detected include the following:

  • Cross-site scripting (XSS) – 26 percent
  • Information leakage and session management – both 16 percent
  • Authentication and authorization – 13 percent
  • Cross-site request forgery – 8 percent
  • SQL injection – 6 percent
  • Web server version – 5 percent
  • Remote code execution – 5 percent
  • Web server configuration – 3 percent, and
  • Unauthorized directory access – 2 percent.

The report didn’t disclose the number of Web applications tested, and a Cenzic spokesperson wouldn’t disclose the number of apps tested for security and proprietary reasons – but the spokesperson stated that it was in the thousands. The report also states that Cenzic’s managed security team gathered the data during an analysis of applications in production.

Parcel said he feels that the public sector could play a role in fixing some of these problems, but he’s unsure if the government will act.

“Government efforts around cybersecurity [are] to try to invest in improving things for the whole country, not just for the government,” Parcel said, though he didn’t name any specific actions the government has taken or attempted. “And that, I see, is woefully mis-coordinated and really just not tackling the problem. They keep making all kinds of bold announcements, and then not doing much in the realm of Web application security.”

Dan Lohrmann, Michigan’s chief security officer and director of cybersecurity and infrastructure protection, mostly agreed with these comments.

“The CTO of Cenzic is probably correct, but similar things could also be said on many other aspects of cybersecurity across most governments,” Lohrmann said via email. “I do agree that Web application security lags behind other security areas.”

But according to Lohrmann, the public sector is at a disadvantage when it comes to cybersecurity in general, and he referenced a 2012 study by Deloitte and NASCIO to support this point.

“As the NASCIO-Deloitte study indicates, state and local governments struggle to get the resources and buy-in to do a long list of ‘priorities," he said. "I don’t believe this is uniquely true of Web application security.”

Hilton Collins, Staff Writer Hilton Collins  |  GT Staff Writer

By day, Hilton Collins is a staff writer for Government Technology and Emergency Management magazines who covers sustainability, cybersecurity and disaster management issues. By night, he’s a sci-fi/fantasy fanatic, and if he had to choose between comic books, movies, TV shows and novels, he’d have a brain aneurysm. He can be reached at hcollins@govtech.com and on @hiltoncollins on Twitter.