Web Application Vulnerabilities Rise, Customers Still Ignore Them

The number of Web application vulnerabilities shot up by 10 percent during the first half of 2009 compared to the last half of 2008, according to a new report released today by Cenzic.

The report pulled together analysis of data compiled from customers using Cenzic’s ClickToSecure, an application security assessment and penetration testing managed service, and by industry vulnerability information. It found that nine out of 10 analyzed Web applications had serious vulnerabilities that could expose data during transactions and could potentially lead to the exposure of sensitive or confidential user information during transactions. And of the more than 3,000 commercially published vulnerabilities Cenzic analyzed, 78 percent were Web application-related.

According to Mandeep Khera, chief marketing officer at Cenzic and one of the report’s authors, the findings themselves are hardly surprising.

“It’s pretty consistent with what we’ve been seeing for the past year and a half,” Khera says of the most recent results, “but what’s continuously been a big surprise for me is that people are still not doing enough, which is just mind boggling to me. It’s very interesting that people are not jumping on this and saying, ‘Hey, I need to secure my Web applications.'”

In his conversations with many midmarket prospects, he continually hears stories of robust, but small, operations that are wholly unprotected from web application vulnerabilities. These vulnerabilities can present an enormous risk to those small organizations that depend on their Websites and e-commerce to keep them afloat. Take, for example, a business owner who ran a 15-person business that Khera spoke to recently. Though the business was small, the company was netting $10 million per year through its Website. And the only security it had was a flimsy network firewall.

“If you look at the SMB, that whole market is about 25 million U.S. businesses and about 20 percent of them rely on e-commerce for their livelihood,” Khera says. “So that’s roughly about 5 million websites. Most of those guys have not clue what web security means, beyond the fact that maybe they have a network firewall or their ISP is providing some basic security level. But beyond that, they have no clue.”

He says that the deficiencies in this market give channel providers a “huge opportunity,” considering the channel’s close relationship with the midmarket.

“I think the channel can add a lot of value in this area, by explaining ‘Here’s how you do it, it’s very easy to do and then once you find vulnerabilities, here’s how you fix them or we can help you fix them,’” Khera says. “And they can offer remediation services on top. I think they have a huge play there.”

Khera reports that Cenzic currently runs about 20 percent of its business through the channel, and it hopes to increase that percentage in 2010. Among the biggest deals Cenzic is trying to push through the channel right now are OEM partnerships, where channel providers can private-label the Cenzic service and bundle it up with their own services to create a comprehensive application security offering.

“We are trying to push it harder, so we should see that number go significantly higher next year,” he says.