Survey reveals that 82% of organizations with web applications that accept file uploads have increased concerns about malware attacks in the last year, but only 8% implement security best practices
OPSWAT, the global leader in Critical Infrastructure Protection, announced the results of its Web Application Security Report, revealing that, despite a marked increase in concerns around malware attacks and third-party risk, only 8% of organizations with web applications for file uploads have fully implemented the best practices for file upload security. Most concerning, one-third of organizations with a web application for file uploads do not scan all file uploads to detect malicious files and a majority do not sanitize file uploads with Content Disarm Reconstruction (CDR) to prevent unknown malware and zero-day attacks.
“The hybrid workspace has been driving digital transformation and cloud migration initiatives for a while now, and the rise of cloud services, mobile devices, and remote workers has driven organizations to develop and deploy web applications that enhance the experience for their customers, partners, and employees,” said Benny Czarny, Founder and CEO at OPSWAT. “Web applications for file uploads help to streamline their business by making it faster, easier, and less expensive to submit and share documents. Consequently, this adoption has also introduced new attack surfaces that organizations are not effectively protecting.”
Recommended ITech News:  Yugabyte Delivers Industry-First Smart Client Driver for Distributed SQL Database with YugabyteDB 2.9 Release
The Open Web Application Security Project (OWASP), a nonprofit organization that tracks the most common risks for web application security and provides best practices for their mitigation, has identified “Unrestricted File Uploads” as a vulnerability with significant risk because files can contain hidden malware that malicious actors can exploit to gain direct access to the systems they are trying to attack. OPSWAT’s web application security research focuses on secure file uploads in order to identify trends and gaps in current cybersecurity measures so that security professionals can better understand and address the risks to their organizations.
OPSWAT’s report shows that an overwhelming majority (99%) of respondents were concerned about file uploads as an attack vector for malware and cyberattacks: 82% of organizations reported an increased concern about malware attacks from file uploads since last year, and 49% of critical infrastructure industries are extremely concerned about protecting file uploads from malware attacks. Most interesting, OPSWAT has identified 10 best practices for file upload security and found that only 8% of organizations with web applications for file uploads have fully implemented all ten. Among these best practices, authentication, anti-virus, and storing files outside the web root were the most adopted, while verifying the file type, randomizing uploaded file names, and removing embedded threats with CDR technologies, otherwise known as data sanitization, were among the least adopted.
“This research shows that, although organizations have expressed concerns around the risks of unsecured file uploads, few have adopted the necessary protocols to increase their security posture,” said Czarny. “The results shed light on the common blind spots for organizations leveraging web applications for file uploads. OPSWAT’s industry-leading technologies can help combat the vulnerabilities we continue to see cybercriminals exploiting. This is all part of our mission to protect the world’s most critical infrastructures from malware and zero-day attacks.”
Recommended ITech News:  SNP Expands Portfolio with New SAP S/4HANA Migration Solution for IBM Cloud
Other key findings from OPSWAT’s Web Application Security Report include:
- Organizations reported an increased concern around secure file transfers, especially in critical infrastructure industries. Eighty-seven percent of organizations using a web application for file uploads are extremely or very concerned about secure file transfers, and 82% report an increase in concern over the past year. Forty-nine percent of critical infrastructure industries were extremely concerned, while only 36% of other industries were extremely concerned about file transfer security. Forty percent of critical infrastructure industries significantly increased their concern in the past year, while only 25% of other industries showed the same increase in concern.
- Loss of revenue and reputational damage are top concerns in the event of an attack. Two-thirds of organizations with a web application for file uploads are concerned about reputational damage and/or a loss in business or revenue related to unsecure file uploads.
- A majority of organizations have not implemented security best practices. One-third of organizations with a web application for file uploads do not scan all file uploads to detect malicious files and only 1 in 5 scan with just one anti-virus engine. Two-thirds of organizations with a file upload web portal do not sanitize file uploads with CDR to prevent unknown malware and zero-day attacks.
Organizations aren’t following best practices, they aren’t using comprehensive anti-virus technology effectively, and most are not using CDR technology to prevent known and unknown attacks. If they want to close their web application security gap, OPSWAT recommends using a solution that offers comprehensive protection with a few integrated advanced technologies like anti-malware scanning with multiple AV engines and CDR.
Recommended ITech News:  Anthony Dumont Joins Constella Intelligence as Chief Revenue Officer
