- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
November 09, 2007 | Comments: (0)
Report - 90 percent of Web apps still vulnerable
It may not be surprising that Web applications security software provider Cenzic contends that a large number of online programs could use some overall improvement -- but, according the company's latest research, a whopping 90 percent of all Web apps it has studied are vulnerable to some form of attack.
On Monday, the company will release its third quarter assessment of the current state of Web applications security, along with its list of the leading vulnerabilities it has discovered in its research.
According to Mandeep Khera, vice president of marketing for Cenzic, the outlook hasn't improved much over the last few months as" thousands of corporations and government agencies" have done nothing to protect their applications, which he said continue to harbor serious flaws.
"With each quarter, new application vulnerabilities are building up and organizations are falling behind in protecting [themselves]," Khera wrote in a report summary sent to InfoWorld ahead of the official announcement.
"We continue to be surprised by the inaction or insufficient action of thousands of corporations and government agencies toward securing their Web applications," he said. "We are not talking about being [one hundred percent] secure at the application layer. We are simply talking about initiating some action, making it at least somewhat difficult for cyber-criminals to gain access."
Based on data gathered from the company's managed services business unit and other sources, Cenzic contends that of the estimated 100 to 150 million Web applications online today, an overwhelming majority are still likely vulnerable.
In its Q3 Trend Report, Cenzic details 1,471 unique published vulnerabilities it observed during the timeframe, with cross-site scripting (XSS) and SQL injection standing as the most prevalent issues.
Of the vulnerabilities cited by the company, it said that roughly 70 percent could be classified as "easily exploitable."
Among the other trends highlighted in the report is the presence of an increasing number of vulnerabilities being uncovered by the firm that it relates to Web 2.0 technologies such as AJAX.
Security researchers are increasingly warning that the nature of such technologies -- largely designed to up the speed and interactivity of Web-based systems and sites -- and the relative inexperience of many developers writing the applications will combine to create an even more dangerous landscape of assailable flaws.
According to the report, the top 10 vulnerabilities found in commercial and open source Web applications during Q3 were those identified in:
-Bugzilla Webservice
-Sun Java System Access Manager
-Rational Clearquest
-Tomcat Host Manager
-Apache mod-proxy
-Java Runtime Environment
-Apache Tomcat
-Sun Java Systems Web Serve
-IBM WebSphere Application Server
-Java Web Start JNLP
More details on the individual vulnerabilities and their implications can be found in the full report, located here.
Among the findings garnered from the company's security assessment and penetration testing service work during the quarter were observations that:
-Seven of 10 analyzed Web applications engaged in insecure communication practices that could potentially lead to the exposure of sensitive or confidential user information during transactions.
-Cross-site scripting continued to be the most common injection flaw type, affecting six out of 10 Web applications.
-Two out of 10 Web applications were found to be vulnerable to types of SQL injection attacks that could result in a direct compromise of the application’s back-end user by an attacker.
-Four in 10 applications failed to properly implement structured exception handling, allowing an attacker to generate SQL error messages or application errors that revealed information useful in planning further attacks against the application.
-Information leaks and exposures, cross-site scripting and authorization and authentication flaws were among the most prevalent vulnerabilities.
Posted by Matt Hines on November 9, 2007 01:56 PM
RATE THIS ARTICLE:
-
- COMMENTS
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Disaster Recovery in Minutes
- Protecting Microsoft(R) Applications
- Reduce Recovery Times and Tape Costs
