November 11, 2009

Web application security is growing problem for enterprises

Security flaws in Web applications can allow attackers to steal data, plant malicious code, or break into other internal systems

The number of security flaws being found in Web applications continues to grow and will likely dominate the security agenda for years to come, according to a report by application security vendor Cenzic.

Almost 80 percent of more than 3,000 software security flaws publicly reported so far this year have been in Web technologies such as Web servers, applications, plugins, and Web browsers. That number is about 10 percent higher than the number of flaws reported in the same period last year -- and nine out of 10 of the flaws were found in commercial code.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Similar numbers have been reported by others. A mid-year trend and risk report released by IBM showed that Web application threats have become the No. 1 source of security pain for enterprises. Attacks targeting these flaws have also risen sharply, in some cases doubling in less than a year.

The numbers suggest that vendors and Web application owners need to address Web application security issues, said Cenzic CTO Lars Ewe. "We are still stuck in the same situation we have been for a long time," Ewe said.

The kind of "significant muscle" the industry put into dealing with network and perimeter-based software vulnerabilities has been missing when it comes to application security, he said. "This is going to be long-winded process."

Security flaws in the Web application layer can allow attackers to steal data, plant malicious code or break into other internal systems. Some of the most common vulnerabilities include SQL injection and cross-site scripting flaws and authorization and authentication errors. The massive data thefts at Heartland Payment Systems and several retailers recently resulted from SQL injection errors that allowed intruders to insert malicious code into their enterprise networks.

Though the security risks posed by such vulnerabilities have been well understood for years, a large and growing number of companies continue to be exposed to them.

At least part of the growth in vulnerabilities is tied to the rising number of Web applications and Web sites that spring up each year, said Chenxi Wang, a researcher with Forrester Research in Cambridge, Mass.

But buggy Web software products and sloppy in-house development processes continue to be huge issues, too.

Roughly 90 percent of the vulnerabilities analyzed by Cenzic for its report, which was released yesterday, existed in commercial, off-the-shelf software from both big and small vendors. Much of it appears to be the result of a continued emphasis on time-to-market at the expense of secure coding practices, Ewe said. "Engineering organizations are being measured on how fast they can respond to market pressures as opposed to how secure a system they can build," he said.

The same factors have made security an afterthought with most internally developed Web applications, as well, he said. Cenzic's analysis found numerous vulnerabilities in proprietary products outsourced to programming firms in India, China, Russia, and other countries.

Close

On Twitter now

Web applications

Powered by Twitter

On Twitter now

White Paper

D2D Virtual Tape Library Replication Primer

This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.

Download now »

White Paper

An Alternative to Virtualization for Datacenter Cost Savings

Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.

Download now »

White Paper

Why Your Firewall, VPN, and IEEE 802.11i Aren't Enough to Protect Your Network

The emergence of WLANs has created a new breed of security threats to enterprise networks.

Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation

Download now »

White Paper

Bringing the Edge to the Data Center

Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.

Download now »

Sign up to receive InfoWorld Resource Alerts

Subscribe to the Security Central Newsletter

Stay informed of the latest security threats and fixes.

White paper

Log Management: How to Develop the Right Strategy for Business and Compliance

This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.

Download now! »

White paper

The Essential Series: Security Information Management

Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.

Download now! »

White paper

Aberdeen: Choosing and Consuming Managed Security Services

Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.

Download now! »
©1994-2009 Infoworld, Inc.