Cenzic's CIA Labs has recently finished up its Q1 2007 Application Security Trend Report. I thought I would drop a line here to give you the highlights. You can get the full report from Cenzic (you should see a link to the file from the homepage). You can also try to get it here via a direct link.
In preparing the report we drew on a number of sources including SecurityTracker, Bugtraq, Full-Disclosure, as well as various academic and private sector studies. Citing the sources we overtly used though isn't enough to give full credit where it is due though, as our work was inspired by Symantec's Internet Security Threat Report. A few remarks are in order.
I am a huge fan of Symantec's Internet Security Threat Report, currently on volume 11 (cf. ISTR Volume XI). Ever since I first got my hands on this report I've always thought of it as the very best in its class, a work of art even. Rather than a veil through which to spew forth marketing data, its a robust research product that gives accurate, informative, and useful data to the security professional. I've plugged Symantec's Threat Report in every talk/presentation I have given for the last two years. Two things have always come to my mind when reading it: I wish it were more focused on application security rather than security in general (yes, it was a selfish wish), and I always wanted more detail regarding the attack data discussed in the reports. Monthly breakdowns, more details, and a backdrop against which to correlate the data.
So you can imagine my happiness when I approached Cenzic's Management about us doing our own trend report, a report focused on application security that delved into the details I always felt were missing in the ISTR, and was given the go ahead. Off the bat we faced a major hurdle. Unlike Symantec we didn't have a global network of thousands of intrusion sensors that we could tap into as a data feed. So I turned to the SANS Internet Storm Center and Dshield as the source of raw data, and queried these organizations for their Q1 probe and attack data as it related to port 80. I am not sure if all our readers are familiar with the concept of collaborative security models, so I will discuss how this data is collected. Thousands of users submit their firewall, IDS, router, and ACL logs to these organizations and the statistics on blocked traffic are crunched daily. This information gives a picture of probing and attack activity and is very useful when looking at high-level trends and patterns. The drawback is that the data is raw and uninterpreted.
Rather than trying to build a story around every peak and curve on a graph of such data, we decided to give readers a backdrop against which to consider the observed activity. After each month's probe and attack data we provided a list of major events that occurred during the same time-frame, as well as information from US-CERT. This gives a canvas against which the reader can look at the trends and draw their own conclusions. It also serves to highlight significant application security events that occurred during the Q1 2007 period.
Next we engaged in the herculean task of hand counting and categorizing all of the application vulnerabilities disclosed during the Q1 period. Here are some of the highlights from our work:
• Roughly 67% of the vulnerabilities affected Web servers, Web applications and Web browsers.
• Applications written in PHP comprise roughly 30% of all vulnerabilities.
• Vulnerabilities within the PHP programming language versions 4 and 5,including wrappers, extensions, and bundled components comprised 3% of total vulnerabilities.
• Roughly 63% of the Web application vulnerabilities can be accounted for by 4 vulnerability classes: file inclusion, SQL injection, cross-site scripting, and directory traversal.
• Roughly 71% of the reported vulnerabilities are classified as easily or trivially exploitable.
• Vulnerabilities in Web Server or Web Application Server technologies comprised around 7% of the total reported Web application vulnerabilities.
• Remote file inclusion vulnerabilities in PHP comprise 17% of the reported Web application vulnerabilities and were reported in roughly equal proportion to SQL injection vulnerabilities.
• 19% of all reported Web application vulnerabilities involved cross-site Scripting.
In addition to the probe and attack data we also polled data from our ClickToSecure service on the types of vulnerabilities we found to be most prevalent in the wild. Above all we hope that we have provided our readers with an informative and thought provoking trend report for the Q1 2007 period.
-Tom Stracener
The link to the document is bad.
Posted by: Dave | May 23, 2007 at 05:17 AM
Dave,
Thanks for bringing this matter to my attention. A change in the filename broke my links. The best thing to do is to download it by navigating to the Cenzic homepage and downloading it from there. Our homepage is: www.cenzic.com
Posted by: Tom Stracener | May 23, 2007 at 05:57 AM
I've just downloaded the PDF (after spending too much time on your company's homepage to find it, mind you) and so far, the work seems reasonable.
Might I suggest that you re-link the PDF to the blog posting here? Having to navigate through an auto-updating mouse-over menuing system on the home page to find it kind of sucks...
My anonymous two cents for what their worth.
Thanks again for the effort putting this together.
Posted by: Anonymous Coward | May 23, 2007 at 07:19 AM
AC,
Thanks for the feedback. Making the change you requested now.
-TS
Posted by: Tom Stracener | May 23, 2007 at 09:57 AM