« Reefer Madness or Session ID Pollution, you choose | Main | SC Magazine Names Best Buy Winner for Application Vulnerability Assessment Tool »

February 28, 2008

2007 - Another crisis year for Web Security!

Today we published our application security trend report for Q4 and the full year 2007. And, although there was some progress made by a lot of corporations and government agencies, prognosis continues to be grim. We are barely scratching the surface. We have a long way to go and many companies are still trying to figure out what they should be doing. Here's my abbreviated executive summary from the trend report. You can download the full report from Cenzic home page at www.cenzic.com. Please feel free to provide feedback or start a dialogue on the subject here.

2007 was certainly an eventful year. And, not just for election primaries. In 2007, we saw a number of creative and lethal attacks - not just in election debates. Web site hacking continued to gain momentum as hackers had a field day exploiting vulnerabilities across all geographies and across different types of Web applications. From SQL Injection Robot to a Russian Malware gang attacking a government site to exploitation of various Google vulnerabilities to various universities – attacks continue. Financial gains continue to be the primary goal but we also saw attacks to steal intellectual property, student records, and in a few cases to deface Web sites. The total number of vulnerabilities stabilized but Web application related vulnerabilities continue to hover around 70 percent of total vulnerabilities. The “bad guys” go where the vulnerabilities are and Web applications are certainly appealing and inviting to these constituents.

 

Application vulnerabilities in Q4 tracked the first three quarters in terms of their dominance, forming 71 percent, a three percent increase over Q3, of the total 1,404 published vulnerabilities. The scary part is that 70 percent of these vulnerabilities are easily exploitable. Application vulnerabilities are the ones that pertain to Web technologies including Web servers, Web browsers, and Web applications. These published vulnerabilities are for commercially available software and infrastructure that corporations and government agencies buy from ISVs (Independent Software Vendors). These don’t take into account thousands of vulnerabilities that are created while programming in-house or proprietary applications, many of which are outsourced to other countries including India, China, and Russia. Millions of consumers spent more than $29B during the 2007 holiday shopping season in the U.S. alone, putting their personal information including credit cards numbers into all kinds of Web sites. While there haven’t been many incidents reported of records stolen or major hacking since the holiday season, the silence is deafening. There’s actually a valid reason for this. First, it takes a while before companies realize that the information has been stolen from their databases. Secondly, hackers are no longer interested in publicizing their conquest stories. It’s in their best interest to steal the information and use it in stealth mode as long as possible. Rest assured, some of these sites have probably already been hacked and stories will start coming out as the year progresses.

 

Most of the vulnerabilities in Q4 were within the applications themselves, comprising about 85 percent of all Web application vulnerabilities. Web server and Web browser vulnerabilities were 10 percent and 5 percent respectively. Applications written in PHP continued to be a major chunk forming 30 percent of all vulnerabilities.

 

Our Top 10 vulnerabilities for Q4 2007 include various technologies and companies including OpenSSL, IBM Lotus Notes, Adobe Acrobat, Java, Realplayer, PHP, IBM Websphere, Apache, and Adobe Flash. Since this is a year-end report, we added a section for the Top Five Application Security Vulnerability Trends for all of 2007. Our Top Five for 2007 include Javascript Trickery, Universal XSS in Adobe Acrobat Reader, Mass-SQL Injection Worm, Google Gadgets and Gmail Hacks, and ORKUT XSS Worm.

 

Cenzic’s ClickToSecure managed service that tests customers’ Web applications remotely once again found that roughly 7 out of 10 Web applications are vulnerable to various types of vulnerabilities including Cross-Site Scripting, Information Leaks and Exposures, Authorization and Authentication flaws, Session Management, SQL Injection, and other security defects.

 

In 2007, we were encouraged to see more corporations and government agencies taking action by testing their applications for security vulnerabilities - partially driven by regulations like PCI, AB1950, and GLBA, and partially to protect their brands. But, we still have a long way to go. Technology and expertise is available for organizations to start their application security process quickly. Now, with virtualization integration to some Web application scanners, they can also start testing their production applications and not just the applications in development and Q.A. We hope we’ll continue to see this momentum of security consciousness in 2008 as we deal with Application Security, the next frontier.

    - Mandeep Khera

Posted at 04:30 PM in Business Conversation, Technical Conversation |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/2263662/26626916

Listed below are links to weblogs that reference 2007 - Another crisis year for Web Security!:

Comments

Post a comment

If you have a TypeKey or TypePad account, please Sign In

Recent Posts

Archives

More...

Categories

Recent Comments

Contributor Photos

  • Mandeep Khera
Subscribe to this blog's feed

Secure Web Links