OPSWAT Study Uncovers Soft Underbelly of Web Apps
A survey published today by OPSWAT, a provider of tools for protecting IT infrastructure, suggests that, when it comes to uploading files into web applications, the level of security scrutiny being applied is minimal.
Based on the responses from 302 IT professionals that have direct responsibility for the security of web applications or portals that accept at least 500 file uploads per day, the survey found only 8% of organizations that have web applications for file uploads have fully implemented the 10 best practices for security as defined by OPSWAT. These best practices include:
- Only allow specific file types
- Verify file types
- Scan for malware
- Remove possible embedded threats
- Authenticate users
- Set a maximum name length and maximum file size
- Randomize uploaded file names
- Store uploaded files outside the web root folder
- Check for vulnerabilities in files
- Use simple error messages
Overall, the survey finds a third of organizations with a web application for file uploads do not scan all file uploads to detect malicious files, while more than half fail to sanitize file uploads to prevent malware and zero-day attacks.
Despite that lack of effort, however, a full 99% of respondents said they were concerned about file uploads as an attack vector, with 82% reporting that those concerns have increased in the last year.
Chip Epps, vice president of product marketing for OPSWAT, said cybercriminals continue to evolve their approaches to compromising web applications and portals, which now includes inserting malware into uploaded files. Many organizations are overlooking this threat simply because they are unaware of it, or because they lack the expertise and resources required to address the threat. At the same time, however, many digital business transformation processes are now dependent on uploading files into web applications and portals, he noted.
As is often the case when it comes to digital business transformation initiatives, many businesses are implementing new processes without thinking through the cybersecurity implications. In the wake of a recent spate of high-profile cybersecurity breaches, more organizations are starting to review those processes, but in the early aftermath of the COVID-19 pandemic, the level of acceptable risk was a lot higher than it is today. Many organizations are starting to be a little more circumspect in their zeal to transform pending a cybersecurity review. The trouble is, it may be a while before those reviews include the files that are being uploaded into web applications and portals.
In the meantime, cybercriminals are becoming more adept at targeting processes like these and the individuals that drive them. Rather than simply launching random attacks against applications and systems, cybercriminals are taking more time to understand how specific processes actually work with an eye toward maximizing the amount of damage they can potentially inflict. In some cases, cybercriminals may have a better understanding of how a process works than an organization’s internal cybersecurity team. In fact, it might be in the best interest of all concerned for cybersecurity teams to think more like cybercriminals, rather than focusing too much on what type of malware is being used to achieve that goal.
