Jeremiah Grossman from WhiteHat Security has been running a survey of Web Application Security Professionals to gauge the state of play in the Web Security arena. The latest of the surveys has just had the results released and there are a couple of surprises this time. 

This is  the second of the surveys for this year, the number of respondents this time out was 62 and they have shared with the community their insight into the Web Security Arena.

Based on the responses the professionals that responded are under no illusions about the state of play with web security. The general feeling appears to be that there are no significant improvements in web security with the majority of respondents of the opinion that web security has either stayed the same or improved slightly within the last 12 months. However nearly a third of the respondents actually think the situation has deteriorated as defensive measures have not been able to keep pace with the latest attack techniques. It is quite surprising that in the seven years of the 'Web Security' industry that it seems no significant in roads are being made into improving security and maybe that things are getting worse.

Something that did not come as much of a surprise was that just under half the respondents believe the Financial services industry are leading the way in web security. This is probably down to Finanical services having the heaviest regulation and having been traditionally be the leader at delivering online services with the most to lose. It is amazing how the risk of losing large somes of money focuses the mind. Interestingly Adult Entertainment also scored highly in the eyes of the respondents, with Government coming bottom of the pile.

One thing that was clear, web application security professionals have a dim view of most developers when it comes to web security. There seems to be very little change in this view between the January survey and this one for May with the bulk of the respondents firmly of the view that only some developers have a clue when it comes to web application security. There was a small shift in the numbers between January and May from the 'About Half' view to the 'Some'. This question is one that requires a more long term look, as the arena is constantly changing with new attacks being developed and with new developers being pumped out of the education system it is something that will be constantly changing. But purely based on the numbers it seems that web application developers are losing the plot.

Both Java and .Net web application technologies scored highly as the technologies used in the most secure web sites. From our experience it is not a huge surprise, but only 3% of the respondents rated PHP as a secure development technology, this could be just as a result of the bad press PHP has had of late. Or more likely due to ‘guess work’, as many respondents admitted that they where just guessing on this.

The ‘in’ technique/issue question for this survey was all about DNS-Pinning and Anti DNS-Pinning the results where quite surprising. When asked about their technical understanding of DNS-Pinning and Anti DNS-Pinning just over a quarter had a strong understanding with the majority of respondents having some understanding. Quite impressive and it seems that the few bloggers such as RSnake have done a great job putting the word out. But the subject is tricky one and we suspect that some respondents may actually be over-estimating their understanding.

There is an even split amongst the respondents about the risks associated with Response Splitting exploitability which leaves no real consensus about the level of risk, other than it depends on individual factors.

Finally in general the respondents of the May survey take the view that Web Application Firewalls are an okay idea, however the comments do point the finger clearly at they are no substitute for sound development practices that embrace security best practice. Much in the same way as many see IDS/IPS solutions as being a good complementary solution for providing security in depth and not the magic silver bullet that many marketing types would have you believe.

You can read the full results of this months survey here, along with the January survey and the December, November and October 2006 surveys.

Add this page to your favorite Social Bookmarking websites