File upload security best practices rarely implemented to protect web applications
Despite a marked increase in concerns around malware attacks and third-party risk, only 8% of organizations with web applications for file uploads have fully implemented the best practices for file upload security, a report from OPSWAT reveals.
Most concerning, one-third of organizations with a web application for file uploads do not scan all file uploads to detect malicious files and a majority do not sanitize file uploads with CDR to prevent unknown malware and zero-day attacks.
“The hybrid workspace has been driving digital transformation and cloud migration initiatives for a while now, and the rise of cloud services, mobile devices, and remote workers has driven organizations to develop and deploy web applications that enhance the experience for their customers, partners, and employees,” said Benny Czarny, CEO at OPSWAT.
“Web applications for file uploads help to streamline their business by making it faster, easier, and less expensive to submit and share documents. Consequently, this adoption has also introduced new attack surfaces that organizations are not effectively protecting.”
Concerns around secure file transfers
The report shows that an overwhelming majority of respondents were concerned about file uploads as an attack vector for malware and cyberattacks: 82% of organizations reported an increased concern about malware attacks from file uploads since last year, and 49% of critical infrastructure industries are extremely concerned about protecting file uploads from malware attacks.
Most interesting, OPSWAT has identified 10 best practices for file upload security and found that only 8% of organizations with web applications for file uploads have fully implemented all ten. Among these best practices, authentication, anti-virus, and storing files outside the web root were the most adopted, while verifying the file type, randomizing uploaded file names, and removing embedded threats with Content Disarm and Reconstruction (CDR) technologies, otherwise known as data sanitization, were among the least adopted.
“This research shows that, although organizations have expressed concerns around the risks of unsecured file uploads, few have adopted the necessary protocols to increase their security posture,” said Czarny. “The results shed light on the common blind spots for organizations leveraging web applications for file uploads.”
Other key findings
- Organizations reported an increased concern around secure file transfers, especially in critical infrastructure industries. Eighty-seven percent of organizations using a web application for file uploads are very concerned about secure file transfers, and 82% report an increase in concern over the past year. Forty-nine percent of critical infrastructure industries were ‘extremely’ concerned, while only 36% of other industries were ‘extremely’ concerned about file transfer security. Forty percent of critical infrastructure industries significantly increased their concern in the past year, while only 25% of other industries showed the same concern.
- Loss of revenue and reputational damage are top concerns in the event of an attack. Two-thirds of organizations with a web application for file uploads are concerned about reputational damage and/or a loss in business or revenue related to unsecure file uploads.
- A majority of organizations have not implemented security best practices. One-third of organizations with a web application for file uploads do not scan all file uploads to detect malicious files, and only 1 in 5 scan with just one anti-virus engine. Two-thirds of organizations with a file upload web portal do not sanitize file uploads with CDR to prevent unknown malware and zero-day attacks.
Organizations aren’t following best practices, they aren’t using comprehensive anti-virus technology effectively, and most are not using CDR technology to prevent known and unknown attacks. If they want to close their web application security gap, they should use a solution that offers comprehensive protection with a few integrated advanced technologies like anti-malware scanning with multiple AV engines and CDR.