Web application security goes from bad to worse in many sectors

NTA Monitor's 2010 Annual Web Application Security Report analysed the data gathered from web application security tests performed for a wide range of industry sectors over a 12-month period.

During this period the highest number of vulnerabilities NTA found in a single web application test was 73 issues, across all risk categories, in comparison to 36 the previous year. Just consider the implications to an organisation if these vulnerabilities were not fixed, especially considering that 7% of security risks identified across all tests were high risks, compared to 5% in 2009. The 2010 report also saw three or more high risk issues identified in 12% of all tests conducted, with 16% of these tests finding eight or more high risks, which was previously unheard of.

Overall the average number of vulnerabilities identified has increased from 13 to 14 issues per test in the 2010 report.

Government has seen the most significant change. The average number of vulnerabilities found in this sector has almost doubled from the findings published in 2009. It is not difficult to find a news story about data loss, security breaches or associated fines imposed by the ICO in the Government sector, but can we expect these to rise with the impending budget cuts having a potentially negative effect on web application and indeed general security measures in this sector?

Other sectors seeing a rise in the average number of vulnerabilities identified in 2010 are the Manufacturing, Legal, Services and IT & Telecoms that have all seen a marked increase. The Legal sector is particularly noticeable here, as it, along with the Government sector, has seen a rise in the average number of high risks identified per test to two high risk issues.

Cross-site scripting (XSS) has again ranked highly in the vulnerability league table, but it should be noted that where organisations would previously have seen these issues reported as high risk, the trend over the year has seen these issues mitigated to a certain extent by other security measures in place, resulting in a higher number being classified as medium risks. This should not detract from the severity of the issue and the necessity to address and mitigate this effectively.

This shift in severity may be due to the fact that a high risk issue is one that allows unauthorised external users to obtain system access, without any interaction from the victim. However, in order for XSS to work, the victim is typically tricked into following a link through phishing techniques, meaning it requires some user interaction and is not a straightforward attack. The risk impact is also taken into consideration, i.e. an application that performs a credit card transaction will have a higher risk classification.

One of NTA's senior application testers comments, "there are some underlying trends that mean XSS vulnerabilities remain prevalent. With the introduction of Web 2.0, it has become essential for an application to accept more user input to enhance the user experience. Without proper input validation mechanisms, an application can open up more areas for an attacker to potentially exploit. Other factors, such as an unresponsive third-party vendor that owns the underlying code, can also contribute to the prevalence of the issue."

A copy of the full report, including the security tips for managing the most commonly occurring risks, is available by emailingmarketing@nta-monitor.com

This article was first released on: 27th July 2010

Site disclaimer | Privacy Policy | Terms and Conditions | Tel: +44 1634 721 855 | Email: marketing@nta-monitor.com           © NTA Monitor Ltd. 2011