Cenzic released its Application Security Trend Report for Q4 2007. This report includes a consolidation of findings for all of 2007, along with the Top 10 Web application vulnerabilities highlighted for both Q4 and Top Five Web application vulnerabilities for the year.
In spite of a slight decrease in total number of vulnerabilities, Web application vulnerabilities continue to be the largest percentage of vulnerability types, and increased 3 percent over Q3, while attacks and probes rose from 1.3 million in October to 1.7 million in December. In a surprising twist, Microsoft Internet Explorer proved to be the least vulnerable browser when compared to Safari, Opera and Mozilla Firefox.
As seen in the report, Web application vulnerabilities dominated much of 2007. We saw some major attacks through Web sites in 2007. We haven’t seen the impact from the holiday season yet because many times it takes months for corporations to realized they have been attacked. In addition, hackers are no longer interested in publicizing their conquests; their main goal is now profit. While organizations are more conscious of security for Web applications, we need to see a lot more initiatives for Web security in 2008. Web application security is reaching a crisis point.
The Cenzic Application Security Trends Report emphasizes the Top 10 Web application vulnerabilities from published reports in Q4 2007, illustrating tends among thousands of corporations, financial institutions and government agencies. However, these findings, do not take into account the thousands of vulnerabilities that are created while programming in-house or proprietary applications, many of which are outsourced to other countries including India, China and Russia.
In the report, Cenzic identified 1,404 unique published vulnerabilities in the fourth quarter of 2007, of which 71 percent were attributed to Web applications and 70 percent of the reported vulnerabilities were classified as easily exploitable. Cross-Site Scripting (XSS) and SQL Injection were the most frequent vulnerabilities reported, which was consistent throughout 2007.