Web application security efforts fall short, report shows

Computerworld - The number of security flaws being found in Web applications continues to grow and will likely dominate the security agenda for years to come, according to a report by application security vendor Cenzic Inc.

Almost 80% of more than 3,000 software security flaws publicly reported so far this year have been in Web technologies such as Web servers, applications, plugins and Web browsers. That number is about 10% higher than the number of flaws reported in the same period last year -- and nine out of 10 of the flaws were found in commercial code.

Similar numbers have been reported by others. A mid-year trend and risk report released by IBM showed that Web application threats have become the No. 1 source of security pain for enterprises. Attacks targeting these flaws have also risen sharply, in some cases doubling in less than a year.

The numbers suggest that vendors and Web application owners need to address Web application security issues, said Cenzic CTO Lars Ewe. "We are still stuck in the same situation we have been for a long time," Ewe said.

The kind of "significant muscle" the industry put into dealing with network and perimeter-based software vulnerabilities has been missing when it comes to application security, he said. "This is going to be long-winded process."

Security flaws in the Web application layer can allow attackers to steal data, plant malicious code or break into other internal systems. Some of the most common vulnerabilities include SQL injection and cross-site scripting flaws and authorization and authentication errors. The massive data thefts at Heartland Payment Systems and several retailers recently resulted from SQL injection errors that allowed intruders to insert malicious code into their enterprise networks.