IT Security Vulnerabilities Caused by Web Applications

Posted on October 7, 2019August 11, 2025

Custom business applications are increasingly attractive because they allow companies to improve employee and customer user experiences with enhanced flexibility and efficiency. Some custom business app platforms tout that “creating your own custom apps is easy, even if your programming knowledge is non-existent.” However, this ease and accessibility can lead to unanticipated security vulnerabilities.

According to Impervia, in 2018, web application security vulnerabilities increased by 23% from 2017 and by 162% from 2016. Impervia also notes that “more than half of web application vulnerabilities (54%) have a public exploit available to hackers.” Hackers can use these exploits to enter your organization’s network and access your systems.

What Are Countermeasures/Prevention Techniques?

In most situations, configuration or programming errors are the leading cause for web application vulnerabilities. These errors may be identified by performing a web application scan and/or code reviews.

Web Application Vulnerability Assessment

AAFCPAs advises clients to conduct regular web application vulnerability assessments when they have systems exposed to the internet. Exposure is of particular concern when sensitive data resides on the internet or if applications are developed and managed internally.

AAFCPAs’ web application vulnerability assessments identify vulnerabilities such as HTML or SQL injections, cross-site scripting (XSS), and URL redirections. When these vulnerabilities are present, hackers could modify the code or links in your web applications.

Evaluate Processes

While it is important to remediate issues shown in scan results, AAFCPAs’ Cyber Security experts advise clients to examine root causes and enhance internal processes to reduce or eliminate the reoccurrence of such findings. Vulnerabilities are likely a result of breakdowns in your organization’s processes. AAFCPAs evaluates clients’ existing processes related to change management and Software Development Life Cycle (SDLC) and provides guidance to improve security measures moving forward.

Regularly Assess the Most Prominent Security Risks

The Open Web Application Security Project (OWASP) is a global nonprofit community that identifies and provides guidance on the most prominent vulnerabilities in web-based applications. The OWASP Top 10 List of Risks represents a broad consensus about the most critical security risks to web applications and is considered the ideal starting point for web application security.

AAFCPAs encourages clients—especially those who created or customized web-based application(s)—to adopt the OWASP awareness document within their organization in order to minimize these risks. AAFCPAs completes OWASP analysis for clients to improve the security and quality of their code. OWASP scans go beyond those of a Web Application Scan to include source code reviews.

To schedule a cybersecurity assessment, or for specific advice on web application vulnerabilities and how to best protect your organization, please contact: James Jumes at 774.512.4062, jjumes@nullaafcpa.com; Mr. Anderson at manderson@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes, MBA, M.Ed.

James joined AAFCPAs in 2013 to lead the firm’s Technology & Process Advisory practice. He leads a team of senior technologist in the delivery of solutions related to business intelligence & productivity, information risk management and cybersecurity, and special IT attestations, compliance, and certifications. His goal is to strengthen the links between people, process, and technology, which increases productivity and drives business growth. James has more than 30 years of experience working with information technology systems …

Mr. Anderson, MCSE, CCNP, CISSP, CEH

Mr. Anderson is a white hat ethical security hacker and business continuity advisor with extensive experience designing and implementing security-focused audit and control programs. In his role providing virtual CISO support, he works closely with organizations to strengthen IT security governance, resilience, and oversight across complex technology environments including managed services. Clients depend on his leadership for security architecture reviews, penetration and vulnerability testing, as well as business resiliency, disaster recovery, and remediation planning. His technical …

Related Insights

Carla McCall Featured in FM Magazine on Finance Roles in Cybersecurity

FM Magazine Report: 5 emerging business cyberthreats — and how to combat them FM Magazine (October 2025) – From deepfakes to payment fraud, companies are at risk of increasingly complex cyberthreats—with finance taking a leading role in mitigating risks. Carla McCall, CPA, CGMA, Managing Partner of AAFCPAs, contributed insights into five emerging business cyberthreats and […]

How IT Controls Keep Your Systems and Data Safe

During AAFCPAs’ recent webinar, Understanding Your ITGCs: Why They Matter and How to Strengthen Them (November 2025), Lisa Whittemore, CFE, CRMA, MBA and Vassilis Kontoglis presented a practical framework for assessing, strengthening, and monitoring IT general controls to protect data, ensure operational continuity, and support regulatory compliance. A single misstep in IT General Controls (ITGCs) […]

Watch Understanding Your ITGCs: Why They Matter and How to Strengthen Them

IT General Controls (ITGCs) are under increasing scrutiny—and the consequences of failure are growing. CEOs, CFOs, and Boards are often blindsided by assessment findings, risk exceptions, and regulatory pressure tied to weak or outdated IT controls. These issues aren’t just technical—they’re strategic, with real implications for financial integrity, compliance, and reputation. In this webinar, we […]