Nine out of 10 web applications remain vulnerable to attack even after developers think they have been 'fixed', security experts have claimed.

A study by security firm Imperva on the vulnerability of public and private web applications found that, despite periodic penetration testing and subsequent fixes, flaws reappeared over time.

These application-level vulnerabilities, unsolved by testing, leave the door open to web attacks, internal database breaches and worms.

Imperva's study found that 'high' or 'critical' vulnerabilities in applications increased from 89 per cent to 93 per cent after first-time tests. In more than half of the re-tests, completely new categories of vulnerabilities appeared.

The report explained that, after penetration testing, some developers failed to fix the identified vulnerabilities, either because they did not know how to fix them or because they simply ignored the test results.

New vulnerabilities were found to have been introduced by developers during the time between tests - either as part of the normal evolution of the website or as part of an attempt to fix vulnerabilities identified during the penetration test.

"Security-minded software development and diligent testing of applications are necessary components to address compounding application vulnerabilities," said Shlomo Kramer, chief executive at Imperva, in a statement.

"However, to actually improve security over time, organisations need to deploy application security solutions and continue to use penetration testing to measure their efforts."