Report and related events 2017

Cover Rapporto OAD 2017 applicativi

 40 pages A4 format, published in May, 2017

Author: Marco R. A. Bozzetti 

Publisher:  Reportec  Srl 

 Patronage providers: AICA, AIPSI, Assintel, Assolombarda, Aused, CDI Torino, CDTI Roma, ClubTI Centro, ClubTI Emilia Romagna, ClubTILiguria, ClubTI Milano, FIDA Inform, FTI, IEEE-Italian Chapter, Inforav,  itSMF

The OAD  Report 2017 focuses on a specific item of the cyber attacks: the attacks to the application software relevated by the respondents during 2016.

The Report is all in Italian,  and in the following  this web page reports an abstract in English.

 For the complete Report, the related articles and presentations, all in Italian, please refer to the Italian web page (click at the top right to the Italian Flag).

 NOTE: in 2017 no "general" OAD Report was published,  analougusly to the previous annual reports, but only this "vertical" one,  focused on the attacks to the  applications. The "general"  survey on the attacks in 2016 and 2017 will be covered by OAD 2018, at the date in progress.



 Abstract OAD AA 2017 Report 

 The OAD AA  survey, sponsored by F5 Networks as Gold Sponsor of the 2016 OAD Report, highlights the countless vulnerabilities that are exploited by cyber criminals and malicious hackers: as many as 46.9% of the respondents (close to 50%) detected attacks on applications, confirming that this is one of the main problems of digital security, along with the naive and incorrect behavior of users.
Fortunately, the worst attacks suffered by most companies were low-level, allowing the restoration of the application in a few hours, but 14.5% of those led to more serious consequences: up to a month to return to normal. Even for 1.8% the restoration required more than a month of work.

The main data emerging from the Report include:

  • The context: typology of respondents and their IT systems
    • as for the prevoius OAD reports, the companies of the respondents belong mainly to 3 product sectors: ICT services, manufacturing, professional services; all the other ATECO sectors considered had respondents, but in limited numbers.
    • The breakdown by size as number of employees is well balanced between small, medium, large and very large structures.
    • The role of respondents is mainly that of Responsible / Administrator of the information system and of the top manager of the company / institution, especially for the smaller ones;
    • the total number of applications in the computer systems depends on the size and type of company: just over half has up to 20 applications, typically SMEs, and very large companies / organizations  have more than 100 applications;
    • almost all respondents have applications in production in the cloud, but only a few use the cloud for testing applications.
  • Vulnerabilities of applications: countless types of vulnerabilities, exploitable and exploited by attackers, from bugs in the code due to an unsafe programming to non-setting of security parameters in configurations:
    • The large number of vulnerabilities of applications and software that they use, from operating systems to middleware, makes the ICT risk analysis  complex and  difficult;
    • The risk analysis is still limited and carried out mainly by large companies / institutions.;
    • Also the  design and implementation of effective and efficient  security  measures is complex and difficult for the mayority of the organizations (in Italy very very large the number of SME and micro-nano companies);
    • Lot of vulnerabilities, limited risk analysis and  and security implementations often partial and not at the state-of-the-art make it easier to bring attacks on applications with very serious business impacts.
  • Impacts of the application attacks: the impacts of the worst attack for a company in the year, measured according to the time needed to restore the application,  have been in most cases not serious and the application and its data  have been  restored in few hours. But a significant 14.5% of respondents required  about a month to restore, and for a small, but not inconsiderable, 1.8%, required more than a month.
    • Note that some attacks on applications were the most critical and difficult to restore compared to all attacks, not only to applications,  as  detailed in  the OAD 2016 Report
  • Main causes of attacks on applications:
    • the most relevant and widespread cause is due to the software and infrastructure vulnerabilities  (36.2% in 2016);
    • in second place the bad  development of the application code in term of security  and / or with unsafe programming languages (25.4% in 2016), 
    • the third cause is the lack and/or limited level in identification, authentication and access control systems (20.8% in 2016).
  • Security measures in place for applications: theinformatics  systems of the respondents respondents largely belong to the high-end for security measures, thanks also to the fact that many are ICT service companies, which therefore have (or should have) ICT systems and their security at  the state of the art (but also among the ICT companies there are cases of "Cobbler with broken shoes"). In fact:
    • 70% of respondents classify data and applications;
    • more than 84% manages the authentication and access control in a centralized manner;
    • before moving an application from test-debug to production, 80% perform functional tests and almost 69% technical tests and on
      code security;
    • almost 55% carry out a penetration test.


This website uses cookies from both its Joomla 3.x and from third party software to improve the browsing experience of users and to collect information on the use of the site itself.