Web application security scanners are finding increasing numbers of coding errors, according to the latest statistics from compliance auditing vendor, nCircle.
The latest study by nCircle found that Web application vulnerabilities from 2007 to 2008 increased by 154% and are continuing to grow by 25% so far this year. But the growth occurred even as the total number of overall security flaws is decreasing, said the security vendor.
SQL injection errors remain the biggest problem for Web applications, followed by cross-site scripting errors, input validation flaws and code injection errors.
nCircle said it detected more than 3,000 new Web application vulnerabilities in 2008. So far the vendor says it's on track to exceed that number this year. In the first two quarters of 2008, nCircle detected 1,548 Web application vulnerabilities.
The statistics could signal some good news for firms since more vulnerabilities are being detected before they are targeted by hackers. Still, Web application security expert Ryan Barnett said it can be challenging to create automatic scanner checks for many classes of vulnerabilities, such as cross-site request forgery and stored cross-site scripting. The rising vulnerability numbers could also reflect the fact that firms are developing Web applications in increased numbers. The awareness of Web application security issues is causing more organizations to assess their apps with vulnerability scanners, said Barnett, director of application security research at Breach Security Inc.
Web application security:
XSS bugs, information leakage top list of website vulnerabilities: Companies are moving more rapidly to correct errors by feeding virtual patches into Web application firewalls, according to WhiteHat founder and CTO Jeremiah Grossman.
IT pros can detect, prevent website vulnerabilities, thwart attacks: Until vendors release a cohesive set of tools to protect against website attacks, IT security pros have a number of ways to detect vulnerabilities.
Video - OWASP Security Spending Benchmarks Project: An OWASP project investigates company spending on software development. A survey found a majority of firms getting an independent third-party security review of software code.
"Although all of the vulnerability scanning statistics list cross-site scripting as the No. 1 vulnerability in websites, the fact is that profit driven attackers are not yet leveraging them as they haven't figured out a way to directly monetize and automate them," Barnett said. "This may change in the near future, however, as more and more client driven attacks are being tested out on social network sites such as Facebook and Twitter."
Successful attacks on users of Facebook and Twitter demonstrate the ability of hackers to spread wormable code that can impact a large number of users, Barnett said.
A survey conducted by nCircle at the 2009 RSA Conference and the Infosecurity Europe conference found that IT security professionals are concerned about protecting their systems from Web application vulnerabilities. Fifty-eight percent of 272 respondents said their Web applications were less secure than the rest of their IT infrastructure.
It is also easier than ever for an attacker to exploit a flaw, said Tom Brennan, a board member of the Open Web Application Security Project (OWASP). Large amounts of documentation can be found on how a flaw works, and the availability of free scanners makes it easy to find and target problems, Brennan said.
"The low hanging fruit analogy is not really a good one any more," he said. "There are an awful lot of areas that you could attack and monetize."
Similar Web vulnerability statistics were released in May by vulnerability assessment vendor, WhiteHat Security Inc. WhiteHat said about 70% of the websites it scans are likely to have at least one critical website vulnerability, while another 63% are likely to have flaws that are in need of attention.
According to WhiteHat statistics, social networking sites were the most likely to contain coding errors followed by education and IT websites.
Security vendors, including WhiteHat and nCircle are touting scanning tools to find flaws. Many firms are also deploying Web application firewalls and applying virtual patches to defend against cyberattacks.
Security consultant and industry observer Eric Ogren said security vendors will integrate vulnerability scanning and penetration testing features into a cohesive set of security tools for IT. The adoption of Web application firewalls is driven primarily by compliance initiatives, but some security pros are also investing in detecting vulnerabilities in application source code.
"Assume all websites are vulnerable and will be exploited," Ogren said. "Put processes in place to detect the presence of malicious code to limit the damage of a successful attack and preplan to take action in the event of a breach."