At the top of that list, finance and retail industry applications are the most vulnerable to data breaches, with 70 per cent of retail and 69 per cent of financial services applications shown to have data input validation violations – concerning considering the amount of personal and financial customer data often held in applications across these industries.
Input validation has gotten a great deal of attention this year thanks to the Heartbleed bug, which exposed over 60 percent of the internet’s servers due to improper input validation in the form of a missing bounds check in the implementation of the TLS heartbeat extension.
In June 21 2014, it was estimated that 309,197 public web servers still remained vulnerable. In addition, a recent report revealed that input validation attacks were exploited in 80 per cent of attacks against applications last year in the retail industry alone – with perhaps the largest casualty being the record breaking eBay data breach, resulting in hackers gaining access to over 145m user records and a federal investigation.
The company also found that – contrary to public perception – government IT had the highest percentage of applications without any input validation violations (61 per cent), while independent software vendors came in dead last (12 per cent without violations).
Even more surprising, the data showed that the financial services industry has the highest number of input validation violations per application (224) even though their applications, on average, are only half as complex as the largest application scanned.