Today we published our application security trend report for Q4 and the full year 2007. And, although there was some progress made by a lot of corporations and government agencies, prognosis continues to be grim. We are barely scratching the surface. We have a long way to go and many companies are still trying to figure out what they should be doing. Here's my abbreviated executive summary from the trend report. You can download the full report from Cenzic home page at www.cenzic.com. Please feel free to provide feedback or start a dialogue on the subject here.
2007
was certainly an eventful year. And, not just for election primaries. In 2007,
we saw a number of creative and lethal attacks - not just in election debates.
Web site hacking continued to gain momentum as hackers had a field day
exploiting vulnerabilities across all geographies and across different types of
Web applications. From SQL Injection Robot to a Russian Malware gang attacking a
government site to exploitation of various Google vulnerabilities to various universities
– attacks continue. Financial gains continue to be the primary goal but we also
saw attacks to steal intellectual property, student records, and in a few cases
to deface Web sites. The total number of vulnerabilities stabilized but Web
application related vulnerabilities continue to hover around 70 percent of
total vulnerabilities. The “bad guys” go where the vulnerabilities are and Web
applications are certainly appealing and inviting to these constituents.
Application
vulnerabilities in Q4 tracked the first three quarters in terms of their
dominance, forming 71 percent, a three percent increase over Q3, of the total 1,404
published vulnerabilities. The scary part is that 70 percent of these
vulnerabilities are easily exploitable. Application vulnerabilities are the
ones that pertain to Web technologies including Web servers, Web browsers, and
Web applications. These published vulnerabilities are for commercially
available software and infrastructure that corporations and government agencies
buy from ISVs (Independent Software Vendors). These don’t take into account
thousands of vulnerabilities that are created while programming in-house or
proprietary applications, many of which are outsourced to other countries
including India, China, and Russia. Millions of consumers spent more than $29B during the 2007 holiday shopping season in the U.S. alone, putting their
personal information including credit cards numbers into all kinds of Web
sites. While there haven’t been many incidents reported of records stolen or
major hacking since the holiday season, the silence is deafening. There’s
actually a valid reason for this. First, it takes a while before companies
realize that the information has been stolen from their databases. Secondly,
hackers are no longer interested in publicizing their conquest stories. It’s in
their best interest to steal the information and use it in stealth mode as long
as possible. Rest assured, some of these sites have probably already been
hacked and stories will start coming out as the year progresses.
Most
of the vulnerabilities in Q4 were within the applications themselves,
comprising about 85 percent of all Web application vulnerabilities. Web server
and Web browser vulnerabilities were 10 percent and 5 percent respectively. Applications
written in PHP continued to be a major chunk forming 30 percent of all
vulnerabilities.
Our
Top 10 vulnerabilities for Q4 2007 include various technologies and companies
including OpenSSL, IBM Lotus Notes, Adobe Acrobat, Java, Realplayer, PHP, IBM
Websphere, Apache, and Adobe Flash. Since this is a year-end report, we added a
section for the Top Five Application Security Vulnerability Trends for all of
2007. Our Top Five for 2007 include Javascript Trickery, Universal XSS in Adobe
Acrobat Reader, Mass-SQL Injection Worm, Google Gadgets and Gmail Hacks, and
ORKUT XSS Worm.
Cenzic’s
ClickToSecure managed service that tests customers’ Web applications remotely
once again found that roughly 7 out of 10 Web applications are vulnerable to
various types of vulnerabilities including Cross-Site Scripting, Information Leaks
and Exposures, Authorization and Authentication flaws, Session Management, SQL Injection,
and other security defects.
In
2007, we were encouraged to see more corporations and government agencies taking
action by testing their applications for security vulnerabilities - partially
driven by regulations like PCI, AB1950, and GLBA, and partially to protect
their brands. But, we still have a long way to go. Technology and expertise is
available for organizations to start their application security process
quickly. Now, with virtualization integration to some Web application scanners,
they can also start testing their production applications and not just the
applications in development and Q.A. We hope we’ll continue to see this
momentum of security consciousness in 2008 as we deal with Application Security,
the next frontier.
- Mandeep Khera
Good work, thanks for sharing this information!
Posted by: Generic Viagra | July 15, 2009 at 01:58 PM
Always fun to read security news from a few years ago, then see how things have changed....
Posted by: spy phone | August 08, 2009 at 06:47 PM
place an order once you have logged in and secured your personal information; and take note of your order confirmation after the checkout process is complete. Remember, we guarantee first class service and the best quality medication, or your money back! You can check your order history, manage your account, read the latest news or receive coupons by logging into your account.
Posted by: Buy Viagra | September 21, 2009 at 09:48 AM
excellent information, great post!!
Kat
Posted by: Viagra Online | September 23, 2009 at 06:54 AM
web security is so important now!! but we must not allow this to governed our life!
Posted by: Overweight | September 23, 2009 at 07:24 AM
I feel excellent item to try on this blog, very interesting
Posted by: Generic Viagra | September 24, 2009 at 06:55 AM
hey you have really nice information!
LOVE
Cheryl
Posted by: Caffeine Addiction Affects | September 28, 2009 at 06:49 AM
very intresting blog my friend i really like this information and thank you sharing.;
Posted by: Soft Cialis | October 09, 2009 at 02:38 PM
web security is relative. You can not be completely secure.
tati
Posted by: Generic Cialis Online | October 14, 2009 at 09:41 AM
well i don't know what to think...I do not feel secure at the INTERNET, is it very relative this web security!
cheryl
Posted by: Skin Care Age | October 14, 2009 at 03:11 PM
excellent post!!!! ;) you are great!
danielle
Posted by: Hair Loss | October 15, 2009 at 03:29 PM
thanks for this informative post. I think as the years progress hackers are all ways finding ways to infiltrate web security.
Posted by: forex trading system | October 16, 2009 at 02:52 AM
not only informative, great.!!
i love it!
debra
Posted by: Buy Vardenafil | October 16, 2009 at 11:21 AM
great blog!
Posted by: rob | October 19, 2009 at 02:50 AM
very informative. thnaks
Posted by: kenny | October 19, 2009 at 02:53 AM
thanks!
Posted by: becky | October 19, 2009 at 02:56 AM
We hope we’ll continue to see this momentum of security consciousness in 2008 as we deal with Application Security, the next frontier.
Posted by: Elderly Man | October 22, 2009 at 09:22 AM
I like the foundation of this blog has a great variety of comments I really like it, several points of view helps in the appreciation of the subject.
Posted by: No Prescription Canada Pharmacy | October 29, 2009 at 09:57 AM
I like so much this part or article... thanks for wrote.. have a nice day!
Posted by: Foreplay Tips for Men | October 29, 2009 at 04:03 PM
Thanks for this helpful information.
Posted by: Affiliate Programs Directory | October 30, 2009 at 06:48 AM
Hi there, i just want to say hello, by the way, NICE POST!
Posted by: Healthy Life | November 02, 2009 at 12:34 PM
i do not trust web security"
Posted by: Buy Viagra Online | November 03, 2009 at 03:29 PM
Thanks for this helpful information.
Posted by: Eye Care | November 04, 2009 at 06:45 AM