nCircle statistics show rising Web application vulnerabilities

By Robert Westervelt, News Editor 02 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Web application security scanners are finding increasing numbers of coding errors, according to the latest statistics from compliance auditing vendor, nCircle.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The latest study by nCircle found that Web application vulnerabilities from 2007 to 2008 increased by 154% and are continuing to grow by 25% so far this year. But the growth occurred even as the total number of overall security flaws is decreasing, said the security vendor.

SQL injection errors remain the biggest problem for Web applications, followed by cross-site scripting errors, input validation flaws and code injection errors.

nCircle said it detected more than 3,000 new Web application vulnerabilities in 2008. So far the vendor says it's on track to exceed that number this year. In the first two quarters of 2008, nCircle detected 1,548 Web application vulnerabilities.

The statistics could signal some good news for firms since more vulnerabilities are being detected before they are targeted by hackers. Still, Web application security expert Ryan Barnett said it can be challenging to create automatic scanner checks for many classes of vulnerabilities, such as cross-site request forgery and stored cross-site scripting. The rising vulnerability numbers could also reflect the fact that firms are developing Web applications in increased numbers. The awareness of Web application security issues is causing more organizations to assess their apps with vulnerability scanners, said Barnett, director of application security research at Breach Security Inc.

Web application security: XSS bugs, information leakage top list of website vulnerabilities: Companies are moving more rapidly to correct errors by feeding virtual patches into Web application firewalls, according to WhiteHat founder and CTO Jeremiah Grossman. IT pros can detect, prevent website vulnerabilities, thwart attacks: Until vendors release a cohesive set of tools to protect against website attacks, IT security pros have a number of ways to detect vulnerabilities. Video - OWASP Security Spending Benchmarks Project: An OWASP project investigates company spending on software development. A survey found a majority of firms getting an independent third-party security review of software code.

"Although all of the vulnerability scanning statistics list cross-site scripting as the No. 1 vulnerability in websites, the fact is that profit driven attackers are not yet leveraging them as they haven't figured out a way to directly monetize and automate them," Barnett said. "This may change in the near future, however, as more and more client driven attacks are being tested out on social network sites such as Facebook and Twitter."

Successful attacks on users of Facebook and Twitter demonstrate the ability of hackers to spread wormable code that can impact a large number of users, Barnett said.

A survey conducted by nCircle at the 2009 RSA Conference and the Infosecurity Europe conference found that IT security professionals are concerned about protecting their systems from Web application vulnerabilities. Fifty-eight percent of 272 respondents said their Web applications were less secure than the rest of their IT infrastructure.

It is also easier than ever for an attacker to exploit a flaw, said Tom Brennan, a board member of the Open Web Application Security Project (OWASP). Large amounts of documentation can be found on how a flaw works, and the availability of free scanners makes it easy to find and target problems, Brennan said.

"The low hanging fruit analogy is not really a good one any more," he said. "There are an awful lot of areas that you could attack and monetize."

SearchSecurity radio:

Similar Web vulnerability statistics were released in May by vulnerability assessment vendor, WhiteHat Security Inc. WhiteHat said about 70% of the websites it scans are likely to have at least one critical website vulnerability, while another 63% are likely to have flaws that are in need of attention.

According to WhiteHat statistics, social networking sites were the most likely to contain coding errors followed by education and IT websites.

Security vendors, including WhiteHat and nCircle are touting scanning tools to find flaws. Many firms are also deploying Web application firewalls and applying virtual patches to defend against cyberattacks.

Security consultant and industry observer Eric Ogren said security vendors will integrate vulnerability scanning and penetration testing features into a cohesive set of security tools for IT. The adoption of Web application firewalls is driven primarily by compliance initiatives, but some security pros are also investing in detecting vulnerabilities in application source code.

"Assume all websites are vulnerable and will be exploited," Ogren said. "Put processes in place to detect the presence of malicious code to limit the damage of a successful attack and preplan to take action in the event of a breach."

Tags: Web Application Security,  Web Application and Web 2.0 Threats,  Software Development Methodology,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Web Application and Web 2.0 Threats New Facebook worm propagates using sexy model Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Software Development Methodology Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack Common PCI questions: Web application firewalls or source code review?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary