Web application security is getting worse, according to the Web Application Security Report 2009 from security consultancy NTA Monitor.

The firm tested web apps belonging to its public and private sector clients, and ascribed 'high', 'medium', 'low' and 'informational' risk status to the vulnerabilities it found.

The number of applications with at least one 'high' risk vulnerability had grown from 17 per cent to 27 per cent since last year, while the number of apps with one or more 'medium' risk vulnerabilities had increased from 78 per cent to 90 per cent.

NTA Monitor found a total of 13 vulnerabilities per test, ranging from one to an alarming 36 issues.

The most common 'high' risk vulnerabilities involved SQL injection, cross site-scripting and cross-request forgery attacks.

NTA Monitor made several recommendations for firms looking to boost web application security, including regular testing, staff training, the creation and publishing of a clear security policy, and inserting security service level agreements into contracts with internet or managed service providers.