Nine out of 10 web applications remain vulnerable to attack even after developers think they have been 'fixed', security experts have claimed.
A study by security firm Imperva on the vulnerability of public and private web applications found that, despite periodic penetration testing and subsequent fixes, flaws reappeared over time.
These application-level vulnerabilities, unsolved by testing, leave the door open to web attacks, internal database breaches and worms.
Imperva's study found that 'high' or 'critical' vulnerabilities in applications increased from 89 per cent to 93 per cent after first-time tests. In more than half of the re-tests, completely new categories of vulnerabilities appeared.
The report explained that, after penetration testing, some developers failed to fix the identified vulnerabilities, either because they did not know how to fix them or because they simply ignored the test results.
New vulnerabilities were found to have been introduced by developers during the time between tests - either as part of the normal evolution of the website or as part of an attempt to fix vulnerabilities identified during the penetration test.
"Security-minded software development and diligent testing of applications are necessary components to address compounding application vulnerabilities," said Shlomo Kramer, chief executive at Imperva, in a statement.
"However, to actually improve security over time, organisations need to deploy application security solutions and continue to use penetration testing to measure their efforts."
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend