Web Apps Are the Source of Most Vulnerabilities

A new report reveals that Web applications are the most common source of vulnerabilities. While this shouldn't come as much of a surprise, it should serve as an alarm for Web developers.

Web application security solution provider Cenzic said that they tracked 1409 vulnerabilities in the first quarter of 2008. Based on their analysis approximately 70 percent of those vulnerabilities were in Web-related technologies. Of the vulnerabilities that fell into the 70th percentile, 82 percent related to Web applications, 12 percent related to Web server software, 3 percent related to Web browsers, and 3 percent related to multimedia players.

Looking at their data from another perspective, Cenzic reports that SQL injection attacks top the list of problem areas for Web applications, accounting for 27 percent of all vulnerabilities tracked by the company. Cross-site scripting was the second biggest problem, accounting for 24 percent of all Web application vulnerabilities.

Web 2.0--a much-hyped buzzword that describes newer Web technologies--is another area lacking in security according to Cenzic. ActiveX led the pack with 45 reported vulnerabilities. The second big problem area relates to XML, which experienced 18 vulnerabilities. Technologies less often found to contain vulnerabilities include Flash (10 vulnerabilities), RSS (7 vulnerabilities), AJAX (7 vulnerabilities), ATOM (3 vulnerabilities), and JSON, SOAP, and WSDL, all of which experienced 1 vulnerability each during Q1 2008.

Another trend revealed by Cenzic's research relates to Web site probes. Based on data provided by DShield, Cenzic reports that unknown entities launch a high number of scans, probes, and other forms of unwanted traffic within the few days before and after vulnerabilities are reported. The trends seem to indicate that those with prior knowledge of the vulnerabilities look for vulnerable targets before news of the vulnerabilities become public, while still others look for targets after disclosure. Regardless, such traffic typically tapers off within a few days of the public disclosure.

"We're seeing many patterns over time, and our results remain consistent with the Symantec Internet Security Threat Report for the second half of 2007-–that organizations are still not taking the proper initiatives to secure their Web applications," said Mandeep Khera, vice president of marketing at Cenzic. "With organizations required to become compliant with PCI requirement 6.6 by June 30, they need to act aggressively."

Cenzic's full report is available on their Web site.