Today, Imperva's ADC released the results of the third Web Application Attack Report (WAAR), which reveals that:

• The median annual attack incidents on the 50 Web applications observed was 274 times a year, with one target experiencing more than 2,700 attack incidents.  This means apps, on average, get attacked once every three days.  This is consistent with Verizon's 2011 statistics that in 54% of breaches, the attack vector was the web application.  
• Our report also shows the average attack incident for the observed Web applications lasted seven minutes and 42 seconds, but the longest attack incident lasted an hour and 19 minutes. 
• SQL Injection remains the most popular attack vector.

Chances are most companies are totally unaware of the application attacks they exerience.  Why?  Part of the answer came out on July 30th, when Gartner released the Forecast: Security Infrastructure Worldwide, 2010-2016, 2Q12, featuring security spend figures for the security industry.  In 2011, nearly $56B was spent on security consulting, hardware and software.  How much was spent to secure applications?  Not much. In fact, Gartner didn't even bother to break out Application Security, instead grouping it into the "Other Security Software" category, which was just 6.6% of total spend.  By contrast, network firewalls and IPS, which are completely blind to the attacks we describe in our report, recieved the bulk of the spend.

For a full copy of the Web Application Attack Report, click here.

To register for the August 15th live webinar detailing the report, click here.