Web Security Report

Web Security Report


Q3 2015

The Web Security Report provides web security trends, statistics, best practices, and resources for chief information security officers (CISOs) and IT security staff.


Web applications are the weakest point in corporate cyber defense.

Sponsored by ImmuniWeb, the award-winning web application security testing platform providing on-demand manual penetration testing in parallel with managed vulnerability scanning

  • The market for global corporate web security was sized at over $1.7 billion (USD) in 2014, and is anticipated to reach a value of $3.2 billion by 2020, according to a report from Future Market Insights (FMI).
  • “Cloud based Web Security solutions are seeing stronger demand” according to the “Corporate Web Security Market 2014-2018 Report” from technology research firm The Radicati Group, Inc.. “Organizations that traditionally deployed on-premises solutions are increasingly moving all their services to the cloud.”
  • A survey in “The SANS Institute 2015 State of Application Security Report” indicates that public-facing web applications are rated as the major concern by 74 percent of respondents.
  • Web application attacks, point-of-sale intrusions, cyber espionage and crimeware were the leading causes of confirmed data breaches last year, according to findings based on data collected by Verizon Enterprise Solutions and 70 other organizations from almost 80,000 security incidents and over 2,000 confirmed data breaches in 61 countries.

Think your website isn’t worth anything to hackers? Think again. READ THE STORY

  • More than one-quarter — 27 percent — of all security breaches at banks last year involved web app attacks, according to the most recent “Verizon Data Breach Investigations Report”. In web app attacks, cybercriminals use a variety of tactics to interfere with web applications.
  • A recent InformationWeek / DarkReading article states “According to numerous studies, the preferred method for attacking businesses’ online assets is via their Web applications”.
  • “Web attacks are everybody’s scourge,” stated Dr. Anton Chuvakin, Research Vice President, Security and Risk Management at Gartner, in a recent Bank Technology News article. “As the Internet is growing, all sorts of less-skilled programmers are deploying applications. You have fewer security-minded programmers. In five years, we’ll all still be talking about web app attacks”.
  • The “HP 2015 Cyber Risk Report” finds that 86 percent of web applications tested had serious issues with authentication, access control, and confidentiality, an increase over the previous year’s rate of 72 percent. The report, which looked at 6,500 web applications, found that 52 percent of them suffered from long-known security issues.
  • Researchers from KU Leuven University in Belgium and The State University of New York at Stony Brook recently tested websites “protected” with various trust seals provided by reputable security vendors (including Symantec, McAfee, Trust-Guard, and Qualys) delivering automated vulnerability and malware scanning services. The research showed “that seal providers perform very poorly when it comes to the detection of vulnerabilities on the websites that they certify.” This is a weakness inherent in almost all fully-automated solutions – they can only go so far before their output needs to be analyzed by a qualified pentester.
  • According to security firm Tripwire, “The mammoth rise in cybercrime has made organizations revise their application security strategy and implement new techniques to safeguard their software. This is largely because traditional security methodologies, such as Manual Testing and Web Application Firewalls (WAF), have been rendered irrelevant due to evolving hacking techniques.”
  • “Web applications remain the weakest point in corporate cyber defense and they require special attention” says Ilia Kolochenko, founder and CEO at High Tech Bridge – a global provider of information security services in the areas of penetration testing, computer forensics, malware analysis and source code review, and provider of ImmuniWeb, an on-demand web security testing service provided in partnership with PwC.

GET THE SCOOP on the top mistakes banks make defending against hackers

  • ”The SANS Institute 2015 State of Application Security Report” states external security consultants are used by 29.6 percent of organizations, and security-as-a-service providers are used by 15.2 percent of organizations, when asked – who tests application security?
  • “We expect the percentage of corporations turning to outside providers for web application scanning to trend way up” says Steve Morgan, Editor-In-Chief of the Cybersecurity Market Report. “Web applications have become a security choke point and enterprises can not adequately manage the exploits. They need third parties to help”.
  • A report by Bessemer Venture Partners (BVP), a multi-national $4 billion venture capital firm, taps cybersecurity as one of three areas within cloud as particularly high growth. Referring to the importance of securing cloud applications – and the potential staggering market impact of not securing them, BVP stated “If Salesforce went down for two days, the whole industry would lose 20 percent off its valuations”.

Join the Cybersecurity Ventures Newsletter to stay on the cutting edge.



Steven C. Morgan, Editor-In-Chief

Steve Morgan

    is Founder and CEO at Cybersecurity Ventures, and Editor-In-Chief of the Cybersecurity Market Report and the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies. Steve writes the weekly Cybersecurity Business Report for IDG’s CSO, and he is a contributing writer for several business, technology, and cybersecurity media properties.

© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.