Web application vulnerability assessment shows patching progress

By Robert Westervelt, News Editor 12 Nov 2009 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Companies are making progress in Web application security, patching throngs of website holes, according to the latest research being presented today by WhiteHat Inc.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Web application vulnerabilities assessment firm has been analyzing vulnerability data over the last three years, collecting information almost weekly from more than 1,300 of its customer websites using its WhiteHat Sentinel scanning tool. WhiteHat found a 61% vulnerability resolution rate, a slight increase over previous reports it issued. Still, the firm said much work needs to be done. Currently, 64% of websites contain at least one serious vulnerability.

"We want to start answering the harder question of what works for companies resolving the most serious vulnerabilities quickly," said Jeremiah Grossmann, a Web security researcher and founder and chief technology officer of WhiteHat.

For the first time, WhiteHat took a closer look at company websites that didn't have serious vulnerabilities. Those websites were nearly identical to those with serious flaws, but they started out with fewer issues and made progress repairing vulnerabilities quickly. The issue plaguing nearly all websites is cross-site scripting (XSS) vulnerabilities.

Web application security: Web security firm ranks Firefox, Safari browsers as flaw prone: Penetration testing firm Cenzic says Mozilla Firefox and the Apple Safari browsers contain the most vulnerabilities in a study covering the first half of 2009. Web-based attacks skyrocket, pirating sites surge, security firms say: Reports highlight surge in spam as well as an increase in malicious Web pages attacking visitors with Trojan malware and downloaders.  SANS: Application threats, website flaws pose biggest security threats: A new report from the SANS Institute calls flaws in client-side applications often the most ignored by IT professionals.

"These sites fix their vulnerabilities," Grossman said. "It comes down to business goals and businesses caring to take [secure software development] seriously; over time they're pushing just as much code, but they're pushing less vulnerabilities."

While XSS vulnerabilities are the easiest to fix, the sheer number of the errors make repairing them a daunting task for some businesses. XSS holes enable attackers to inject malicious JavaScript code and turn a legitimate website into an attack platform targeting visitors. Meanwhile, SQL injection vulnerabilities and cross-site request forgery are also problematic and open the door to less sophisticated attackers using automated tools to find them, Grossman said.

"SQL injection throws up helpful error messages for hackers," Grossman said. "If it regurgitates a database error message, then a hacker immediately knows there's a way in."

XSS errors are likely to be found in 66% of websites scanned by WhiteHat. Meanwhile, information leakage, in which a website reveals sensitive information such as developer comments, user information, internal IP addresses, source code, software version numbers and other error messages, occurs almost 50% of the time.

Websites that contain errors which lend themselves to content spoofing show up in 31% of scans. Content spoofing allows a hacker to set up phishing scams, forcing legitimate sites to redirect visitors to malicious content.

WhiteHat also found the "time-to-fix" gap increasing for some vulnerabilities, meaning much more work needs to be done to expedite the patching of serious flaws. XSS errors take about 67 days to repair, an increase of 9 days over WhiteHat's previous report. Content spoofing took 87 days to resolve, an increase of 16 days, and cross-site request forgery took 93 days to fix, an increase of 37 days.

SearchSecurity radio:

A number of problems make it difficult to resolve vulnerabilities quickly: The coding may be old and no one within the organization has the ability to make repairs, or the code may belong to a third party. Compliance is also a major driver for fixing coding errors, Grossman said. If an error does not result in a compliance violation, flaws become less of a priority, he said.

Despite an effort by many organizations to highlight secure software development best practices, the vulnerability scans show developers continuing to produce shoddy code, Grossman said. Communication is a major issue, he said. IT security and development organizations must coordinate when it comes to dealing with website vulnerabilities to close the time-to-fix gap.

"Security pros have to coordinate with the development group when errors are found and that puts them in compromised position, explaining software security problems to developers," he said. "While there's been a lot of chatter about secure coding, it hasn't permeated in the Web application area, which is still relatively new; it's going to take more time."

Tags: Web Application and Web 2.0 Threats,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats CISOs take measured steps to reduce social media risks Torrent phishing scheme trips up Twitter users Browser exploit kit probe highlights need for patching, vigilance Attackers continue barrage of SEO attacks Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Facebook attacks prompt investments in social networking security PDF attack code complicates security analysis, skirts detection Adobe warns of critical Flash Media Server vulnerability Firefox, Opera, Safari browsers top list of high risk software Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary