The world of Web apps has grown at a breakneck pace in recent years. That’s been good news for consumers and it’s been utterly fantastic news for attackers, who have been given a virtually infinite number of new targets. A new study shows that Web apps are attacked an average of once every three days while some are assailed as many as 2,700 times a year.
Part of what makes Web apps so susceptible to attacks from hackers is that they are publicly available and have many sources of input. According to the study by Web security company Imperva, the most common type of attack on Web apps is SQL injection, a tried-and-true tool used by hackers around the world that is designed to exploit a common programming error in many Web apps. Structured Query Language (SQL) is a programming language that manages data in databases; an SQL injection is the same type of attack that penetrated Yahoo’s defenses earlier this year, compromising 453,000 voice passwords.
For its study, Imperva monitored 50 Web applications for six months. The results showed that while Web apps sustain an attack roughly every three days, some apps are targeted as many as 292 days a year and multiple attacks within a single day are common. The average attack lasted less than eight minutes, but the longest that Imperva recorded went on for nearly 80 minutes.
Because of the irregular and unpredictable nature of the attacks, Imperva’s study concluded that security measures should be designed to sustain a worst-case-scenario attack and not simply the average assault.
“The intensity of the attack will be overwhelming if the defense side was prepared for the average case (27 or 18 attacks per hour as discovered on our previous reports) as the attack will consist of hundreds or even thousands of individual attack requests,” the study notes.