This month’s article focuses on the trends in web application vulnerability analysis and its affects on regulatory compliance.  As we are well aware, regulations require organizations to continually assess their publicly facing Internet environment for the presence of vulnerabilities that could expose customer information.  Traditionally, vulnerability analysis has been focused at the network or operating system level.   However, emerging trends show that web application level vulnerabilities are on the rise and quickly becoming the main source of Internet attacks.

The Rising Trend of Application Level Vulnerabilities

Recent trends in web application vulnerabilities:

1. Web application vulnerabilities continue to comprise the largest part of all vulnerability data. In 2007 web application security vulnerabilities comprised 70% of the total vulnerability information.
2. Cross-Site Scripting continues to be the most prevalent web application vulnerability reported, with SQL injection and Remote File Inclusion (RFI) attacks not far behind.
3. SQL injection vulnerabilities still continue to constitute roughly 20% of the total web application vulnerability volume. In other words, 1 out of 5 reported vulnerabilities is usually a SQL related vulnerability.
4. Insecure coding practices in PHP continue to contribute to 30% of the total web application vulnerability volume. Vulnerabilities in PHP itself, as a programming language, tend to contribute only 1-3% of the total vulnerability volume.  This indicates insecure coding practices, and not PHP as a programming language, contribute to the majority of PHP-related vulnerabilities.
   

*2007 CIA Labs Web Application report

Why are web application attacks increasing?

Web applications have become an avenue of attack because of the rapid growth of the Internet.  Common types of web applications such as web mail, shopping carts and e-commerce sites allow masses of people to access systems quickly from anywhere in the world. However, web applications introduce a new generation of security vulnerabilities that require the implementation of strong security measures to mitigate these risks. Common application level attacks, such as injection and data manipulation, provide the potential for an unauthorized party to gain access to critical and proprietary information, use resources inappropriately, interrupt business or commit fraud.

Security professionals are devoting a lot of time and energy identifying and correcting vulnerabilities in operating systems and server configuration. As the server and operating system security hardens, hackers are forced to find alternative ways to hack into computing resources to achieve their goals. Hackers are becoming knowledgeable about exploiting other avenues to gain access to computing resources, with web applications become their latest target. The Gartner Group states, "Today over 70% of attacks against a company's web site or web application come at the 'Application Layer' not the Network or System layer."

The Solution

Is your institution at risk of hacking through your web applications? Would you know if there are flaws in your current web code? How can you reduce your risks of web application attacks?

More and more institutions are finding that the best way to answer these questions is through continuous application assessment of your web or e-commerce site. There are many services offered on the market today that will perform target application level vulnerability checks of your web code that are undetectable by traditional network based scanners. These deep web scanning services delivers fast scanning capabilities, broad security assessment coverage and accurate web application security scanning results.

To learn more about how Perimeter can help supplement your network based vulnerability and penetration services with deep web scanning services please call us.


Tom Neclerio, CISSP
VP of Security and Compliance
Perimeter eSecurity