NTA Monitor

Latest News

60% of UK website tests revealed Internet encryption and cross-site scripting vulnerabilities

10th April 2008 60% of web application tests performed for UK organisations showed that their websites contain weak encryption or cross-site scripting (XSS) vulnerabilities Read More

Demilitarised Zone most secure option for BlackBerry device

28th February 2008 Recent BlackBerry testing by IT security consultancy, NTA Monitor, has revealed that organisations are still not configuring these mobile devices correctly Read More

Retailers should put security top of their Christmas list

13th November 2007 With British consumers spending more than £6.6 billion online in the last two months of last year, the 2007 festive season is set to be one of great cheer for online retailers Read More

Businesses warned not to have skeletons in cupboards

13th November 2007 For many organisations, the festive season is an opportunity to heave a corporate sigh of relief and enjoy the brief respite in frenetic business activity as countless people all over the world, go home to celebrate Christmas Read More

90% of UK websites are insecure

90% of UK organisations' websites contain one or more vulnerability that may enable external users to gain unauthorised system access or disrupt service availability. A further 33% of websites have been found to contain critical vulnerabilities that are widely known and actively exploited by hackers.

These findings form part of NTA's Annual Web Application Security Report 2007, which analyses data gathered from web application security tests undertaken on behalf of a variety of organisations, including financial institutions, legal practices, universities and local government bodies, during 2006.

Roy Hills, Technical Director at NTA Monitor, says: "Web applications are accessible 24 hours a day, 7 days a week and control sensitive data such as customer details, credit card numbers and proprietary corporate data. With an ever increasing number of people using the Internet for personal business such as banking, bill payments and shopping, and as a core part of their working lives in terms of remote working and resource sharing, it's high time that organisations take greater steps towards protecting these revenue generating and efficiency enabling systems."

As the number, size and complexity of web applications increases, so does the risk exposure. Attackers focusing on web application security problems are actively developing tools and techniques for exploiting them. Three key recommendations that organisations can follow to reduce their risk are:

An account lockout mechanism should be in place to lock out accounts permanently or temporarily, to help prevent attackers from being able to brute force user accounts
META characters such as single quotes, double quotes and semi colons should be disallowed in order to minimise the threat of SQL injection attacks, which are a high risk vulnerability
In order to help protect against keystroke loggers, the mouse and keyboard should both be used during login processes, for instance, users should be asked to use drop-down boxes or radio buttons as well as keying in details

The full report contains further recommendations and not only looks at the different types of vulnerabilities found in organisations, but also examines how a range of industry sectors fair against the average findings. It is available from NTA by emailing marketing@nta-monitor.com

This article was first released on: 21st March 2007