File upload security best practices are rarely implemented to protect web applications

Despite a marked increase in concerns about malware attacks and third-party risks, only 8% of organizations with web applications for file downloads have fully implemented best practices for file download security, reveals an OPSWAT report.

More concerning, a third of organizations with a web application for file downloads do not scan all file downloads for malicious files and the majority do not disinfect file downloads with CDR to prevent unknown malware and zero-day attacks.

“The hybrid workspace has been driving digital transformation and cloud migration initiatives for some time now, and the rise of cloud services, mobile devices and remote workers has driven organizations to develop and to deploy web applications that enhance the experience of their customers, partners, and employees,” said Benny CzarnyCEO of OPSWAT.

“Web applications for uploading files help streamline their business by making it faster, easier and less expensive to send and share documents. Consequently, this adoption has also introduced new attack surfaces that organizations are not effectively protecting against.

Concerns about secure file transfers

The report shows that an overwhelming majority of respondents are concerned about file downloads as an attack vector for malware and cyberattacks: 82% of organizations reported increased concern about malware attacks from file downloads since last year, and 49% of critical infrastructure industries are extremely concerned about protecting file downloads from malware attacks.

More interestingly, OPSWAT identified 10 best practices for file upload security and found that only 8% of organizations with web-based file upload applications fully implemented all ten. Of these best practices, authentication, antivirus, and storing files outside the web root have been the most adopted, while checking file type, randomizing downloaded filenames, and removing embedded threats. with Content Disarm and Reconstruction (CDR), otherwise known as data sanitization, were among the least adopted.

“This research shows that while organizations have expressed concerns about the risks of downloading insecure files, few have adopted the necessary protocols to strengthen their security posture,” Czarny said. “The findings shed light on common blind spots for organizations that use web applications for file uploads.”

Other key findings

  • Organizations reported increased concern over secure file transfers, especially in critical infrastructure sectors. Eighty-seven percent of organizations using a web application for file uploads are very concerned about secure file transfers, and 82% report an increase in concerns over the past year. Forty-nine percent of critical infrastructure industries were “extremely” concerned, while only 36% of other industries were “extremely” concerned about file transfer security. Forty percent of critical infrastructure industries have significantly increased their concern over the past year, while only 25% of other industries have expressed the same concern.
  • Loss of revenue and reputational damage are top concerns in the event of an attack. Two-thirds of organizations with a web application for file downloads are concerned about damage to their reputation and/or loss of business or revenue related to insecure file downloads.
  • Majority of organizations have not implemented security best practices. A third of organizations with a web application for file downloads do not scan all file downloads for malicious files, and only 1 in 5 scans with a single antivirus engine. Two-thirds of organizations with a file download web portal do not sanitize file downloads with CDR to prevent unknown malware and zero-day attacks.

Organizations don’t follow best practices, they don’t use comprehensive antivirus technology effectively, and most don’t use CDR technology to prevent known and unknown attacks. If they want to close the security hole in their web applications, they should use a solution that offers comprehensive protection with some advanced technologies built-in such as anti-malware scanning with multiple AV and CDR engines.