Calculating Your Web Application Security Odds

On average any given website is probed by hackers 18 times an hour. And that's good news -- last year, sites were probed an average of 27 times per hour. But the bad news is once hackers decide to attack, they launch on average 38,000 attacks an hour, or roughly 10 attacks a second -- up from 27,000 attacks per hour recorded in January 2011.

These statistics are courtesy of the Web Application Attack Report published by Imperva, a provider of web application and database security software, based on the observations of attacks on 40 different web applications.

Imperva CTO Amichai Shulman notes the survey results suggest hackers today are better armed with tools that allow them to automate more targeted attacks. The results also suggest the developers of web applications are getting better at securing them, given the escalation in attacks being launched per hour.

The types of attacks themselves appear to be pretty consistent. According to the report, remote file inclusion (RFI), SQL injection (SQLi), local file inclusion (LFI), cross site scripting (XSS) and directory traversal (DT) are the most common forms of attacks, with XSS and DT the most prevalent classical attack types. But the study also finds a rise in business logic attacks that evade detection more easily, specifically e-mail extraction and comment spamming.

Schulman says the increased ferocity of attacks against web applications make it pretty clear that IT organizations need to invest in application firewalls, especially as application software becomes ever more complex. No matter the size of the organization or that application itself, hackers are going to test its defenses aggressively. And while no application can be 100 percent secure, , Shulman says having an application firewall will make hackers work harder to crack your application vs. any one of a thousand others.