OPSWAT study reveals soft underbelly of web applications

A survey released today by OPSWAT, a provider of IT infrastructure protection tools, suggests that when it comes to uploading files to web applications, the level of security control applied is minimal.

Based on responses from 302 IT professionals who have direct responsibility for the security of web applications or portals that accept at least 500 file downloads per day, the survey found that only 8% of organizations that have Web applications for file downloads have fully implemented the 10 Security Best Practices as defined by OPSWAT. These best practices include:

  • Only allow specific file types
  • Check file types
  • Scan for malware
  • Remove possible built-in threats
  • Authenticate users
  • Set maximum name length and maximum file size
  • Randomize downloaded file names
  • Store downloaded files outside of the web root folder
  • Check files for vulnerabilities
  • Use simple error messages

Overall, the survey finds that one-third of organizations with a file downloads web app fail to scan all file downloads for malicious files, while more than half do not. to disinfect file downloads to prevent malware and zero-day attacks.

Despite this lack of effort, 99% of those polled said they were concerned about file downloads as an attack vector, with 82% saying these concerns have increased in the past year.

Chip Epps, vice president of product marketing for OPSWAT, said cybercriminals continue to evolve their approaches to compromising web apps and portals, which now includes inserting malware into downloaded files. Many organizations ignore this threat simply because they don’t know about it or because they lack the expertise and resources to deal with it. At the same time, however, many business digital transformation processes now depend on uploading files to web applications and portals, he noted.

As is often the case with digital business transformation initiatives, many companies are implementing new processes without thinking about the cybersecurity implications. Following a recent wave of high-profile cybersecurity breaches, more organizations are starting to revisit these processes, but at the very onset of the COVID-19 pandemic, the acceptable level of risk was much higher than ‘it is not today. Many organizations are starting to be a little more circumspect in their zeal to transform while waiting for a cybersecurity review. The problem is, it may take some time for these exams to include files that are being uploaded to web apps and portals.

Meanwhile, cybercriminals are increasingly adept at targeting processes like these and the individuals who conduct them. Rather than just launching random attacks against applications and systems, cybercriminals take longer to understand how specific processes actually work in order to maximize the amount of damage they can potentially inflict. In some cases, cybercriminals may have a better understanding of how a process works than an organization’s internal cybersecurity team. In fact, it might be in the best interest of everyone involved for cybersecurity teams to think more like cybercriminals, rather than focusing too much on the type of malware being used to achieve that goal.

Comments are closed.