Security News > 2021 > August > File upload security best practices rarely implemented to protect web applications

File upload security best practices rarely implemented to protect web applications
2021-08-30 04:30

Despite a marked increase in concerns around malware attacks and third-party risk, only 8% of organizations with web applications for file uploads have fully implemented the best practices for file upload security, a report from OPSWAT reveals.

Most concerning, one-third of organizations with a web application for file uploads do not scan all file uploads to detect malicious files and a majority do not sanitize file uploads with CDR to prevent unknown malware and zero-day attacks.

"The hybrid workspace has been driving digital transformation and cloud migration initiatives for a while now, and the rise of cloud services, mobile devices, and remote workers has driven organizations to develop and deploy web applications that enhance the experience for their customers, partners, and employees," said Benny Czarny, CEO at OPSWAT. "Web applications for file uploads help to streamline their business by making it faster, easier, and less expensive to submit and share documents. Consequently, this adoption has also introduced new attack surfaces that organizations are not effectively protecting."

Most interesting, OPSWAT has identified 10 best practices for file upload security and found that only 8% of organizations with web applications for file uploads have fully implemented all ten.

Among these best practices, authentication, anti-virus, and storing files outside the web root were the most adopted, while verifying the file type, randomizing uploaded file names, and removing embedded threats with Content Disarm and Reconstruction technologies, otherwise known as data sanitization, were among the least adopted.

Two-thirds of organizations with a file upload web portal do not sanitize file uploads with CDR to prevent unknown malware and zero-day attacks.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/-GSEboRlQZk/