Most firms have inadequate defences for web applications, a study has revealed.
The reason is that defences tend to be geared around attack averages, said Amichai Shulman, chief technology officer at security firm Imperva.
But the latest Imperva Web Application Attack Report shows half of the attack incidents on 50 web applications monitored over a six-month period were greater than the average intensity.
"Half the sample attack incidents made up of multiple malicious requests to the web applications lasted more than the average of 7 minutes, 42 seconds, with some lasting up to 79 minutes" he told Computer Weekly.
If all that defences are designed to cope with is the average attack incident, he said, half of the time they will be overwhelmed by attack requests per second that are way above the average.
The research data shows that most of the time very little happens, but every once in a while there is an outbreak of attacks.
Read more on web application security:
- Web-facing applications: Mitigating likely Web application threats
- Cyber attackers increasingly targeting applications, research shows
- HP study finds widespread custom Web application flaws
- Web application attacks: Building hardened apps
- Web application security guidelines for developers
- Web application attacks: Types and countermeasures
While the average sample web application was hit by attack incidents 33% of the time, some had to cope with attacks 80% of the time, the study shows.
For this reason, Shulman believes organisations should base their web application defences based on the worst-case scenario or at least the typical attack in reality rather than the statistical average.
Imperva's research showed that attack incident history could not be used to predict future attacks.
"We went through all our attack data trying to find some predictive model, but we are quite certain there is no predictability," said Shulman. "This means security teams need to be prepared to mitigate attacks without any advance notice."
The latest research and analysis shows that in addition to basing defences on extreme bursts of attacks, they should ensure that security procedures and controls are as automated as possible, he said, because the attack volume is typically too great to deal with manually.
"Organisations should also test their readiness to accommodate bursty threats by simulating them, which is probably the best way to find out if your defences are adequate," said Shulman.
The study also confirmed that SQL injection remains the most commonly used attack on web applications.
Other top attack methods include cross-site scripting (XSS), remote file inclusion (RFI) and local file inclusion (LFI), the report said.
For more security news, sign-up for our security newsletter.