The variety of new vulnerabilities publicly reported in 2011 declined by 20%, but an analysis conducted by Hewlett Packard of custom Web applications found them susceptible to various common coding errors.
The data shows custom Web application coding errors are widespread, HP said, and attackers are targeting them in greater numbers.
HP is warning security professionals to not get a false sense of security from the full decline in publicly reported vulnerabilities. The decline will also be attributed to a number of factors, including software security improvements and changing vulnerability disclosure trends that could be leaving an important quantity of vulnerabilities uncounted, in accordance with the HP 2011 Cyber Security Risks Report. Â The report, issued this week, offers an in depth analysis of knowledge from the Open Source Vulnerability Database (OSVDB), the HP DVLabs' Zero Day Initiative, and HP's Fortify Web security researchers.
While overall Web application flaws in commercially available applications have been in decline since 2006, a review of more than 359 unique custom Web applications conducted by HP Fortify paints a much different picture. Many of the custom Web applications were found rampant with common coding errors, leaving them prone to cross-site scripting and SQL injection attacks.
Static analysis performed on the custom Web applications found greater than half were vulnerable to reflected cross-site scripting, and 86% were vulnerable to injection flaws. The custom applications were also susceptible to insecure direct object reference vulnerabilities and nearly all of them were vulnerable to information leakage and improper error handling flaws. Dynamic analysis, which evaluates a program by executing data in real-time, found greater than 66% were susceptible to insecure communications vulnerabilities. “99% of hacking is information gathering, so this isn't insignificant,†the report found.
The data shows custom Web application coding errors are widespread, HP said, and attackers are targeting them in greater numbers. Web application attacks grew almost 50% from 2010 to 2011. The attacks made up 13% of the full attacks observed by TippingPoint IPS customers and honeypots used to capture new exploits for trend analysis and emerging threat detection. HP found most of the attacks being driven by the Black Hole Exploit Kit, an automatic attack toolkit that's known for spreading the Zeus, Cutwail, Spyeye, and Carberp botnets. Â
“Basic security mistakes reminiscent of information leakage and insecure communications are still being made in any respect organization size levels,†in line with the report. “Measures may be taken to be sure information potentially important to attackers isn't really included within the application. Ultimately, the solution is for security to be ‘baked in' to the improvement process, not brushed on.â€
The report found website administrators failing to deploy patches or to support new browser safety features built into Microsoft Internet Explorer 8 for preventing cross-site scripting attacks from executing. Â
Adobe Shockwave led the pinnacle 10 list of disclosed commercial vulnerabilities in 2011. It was followed by Apple Quicktime errors, HP Data Protector flaws and Oracle Java vulnerabilities. The information was gleaned from HP DVLabs Zero-day Initiative, which purchases vulnerability information from security researchers and give it without cost to affected vendors. RealNetworks RealPlayer, Adobe Reader, Microsoft Internet Explorer, Microsoft Office Novell iPrint and HP OpenView errors made up the remainder of the commercially available products within the ZDI Top 10 vulnerability list.
Nessun commento:
Posta un commento
Comments links could be nofollow free