The number of security flaws being found in Web applications continues to grow and will likely dominate the security agenda for years to come, according to a report by application security vendor Cenzic Inc.
Almost 80% of more than 3,000 software security flaws publicly reported so far this year have been in Web technologies such as Web servers, applications, plugins and Web browsers. That number is about 10% higher than the number of flaws reported in the same period last year — and nine out of 10 of the flaws were found in commercial code.
Similar numbers have been reported by others. A mid-year trend and risk report released by IBM showed that Web application threats have become the No. 1 source of security pain for enterprises. Attacks targeting these flaws have also risen sharply, in some cases doubling in less than a year.
The numbers suggest that vendors and Web application owners need to address Web application security issues, said Cenzic CTO Lars Ewe. “We are still stuck in the same situation we have been for a long time,” Ewe said.
The kind of “significant muscle” the industry put into dealing with network and perimeter-based software vulnerabilities has been missing when it comes to application security, he said. “This is going to be long-winded process.”
Security flaws in the Web application layer can allow attackers to steal data, plant malicious code or break into other internal systems. Some of the most common vulnerabilities include SQL injection and cross-site scripting flaws and authorization and authentication errors. The massive data thefts at Heartland Payment Systems and several retailers recently resulted from SQL injection errors that allowed intruders to insert malicious code into their enterprise networks.
Though the security risks posed by such vulnerabilities have been well understood for years, a large and growing number of companies continue to be exposed to them.
At least part of the growth in vulnerabilities is tied to the rising number of Web applications and Web sites that spring up each year, said Chenxi Wang, a researcher with Forrester Research in Cambridge, Mass.
But buggy Web software products and sloppy in-house development processes continue to be huge issues, too.
Roughly 90% of the vulnerabilities analyzed by Cenzic for its report, which was released yesterday, existed in commercial, off-the-shelf software from both big and small vendors. Much of it appears to be the result of a continued emphasis on time-to-market at the expense of secure coding practices, Ewe said. “Engineering organizations are being measured on how fast they can respond to market pressures as opposed to how secure a system they can build,” he said.
The same factors have made security an afterthought with most internally developed Web applications, as well, he said. Cenzic's analysis found numerous vulnerabilities in proprietary products outsourced to programming firms in India, China, Russia and other countries.
Adding to the problem is the growing complexity of Web application environments, especially since most of them are designed to receive and process input from external sources, such as customers and business partners. Large Web applications can have hundreds of places where users input data, each of which offers an opportunity for an attacker to inject malicious code into the system.
Finding such vulnerabilities isn't easy, Wang said. And fixing them can be even harder because of the highly interconnected nature of Web applications. For example, fixing a code-injection error in a shopping cart function in an e-commerce application could require several tweaks to the entire application, she said.
Automated tools are available today to scan Web application code for errors and for penetration tests. While Web application firewalls, intrusion detection systems and data encryption measures can mitigate some of the risks, companies running Web applications still need to ensure that the underlying code is as clean as possible, according to analysts.