Application Security Trends Report for Q2 2008

Cenzic released its report revealing the most prominent types of vulnerabilities for the second quarter of 2008. In the wake of sophisticated threats, such as the recent attacks on the Republic of Georgia’s government Web sites, it is apparent that cyberterrorism and cyberwarfare are now a relevant threat to homeland security.

As the recent Cenzic Application Security Trends Report for Q2 2008 depicts, United States organizations are still not fully prepared, as less than five percent of 100 million Web applications in the U.S. are being tested for security vulnerabilities. While the reported vulnerabilities have decreased slightly from Q1 2008, the percentage of Web vulnerabilities has risen.

This report surfaces approximately a week after the attacks on the Beijing Olympics, various retailers and Republic of Georgia’s government Web sites, and presents a disturbing correlation between today’s Web vulnerabilities and its affect on homeland security. Synchronized attacks in the Russia-Georgia conflict are the sign of a disturbing trend that is becoming more mainstream, and evidence that Cyber attacks are rapidly gaining acceptance as another weapon in war.

Cenzic Application Security Trends Report Q2 2008

The Cenzic Application Security Trends Report emphasizes the Top 10 Web application vulnerabilities from published reports in Q2 2008, illustrating trends among thousands of corporations, financial institutions and government agencies. In the report, Cenzic identified 1,200 unique published vulnerabilities for the second quarter of 2008, with Web technology vulnerabitlies comprising 73 percent of the vulnerability volume and SQL injection accounting for an alarming 34 percent of the total Web vulnerabilities.

As part of the study, Cenzic incorporated findings from Cenzic ClickToSecure, its leading-edge managed security assessment and penetration testing service (SaaS), and research from Cenzic Intelligent Analysis (CIA) Labs. Some key findings include:

• Seven of 10 analyzed Web application engaged in insecure communication practices could potentially lead to the exposure of sensitive or confidential user information during transactions.
• Cross-Site Scripting continues to be the most common injection flaw, affecting seven out of 10 Web applications.
• Approximately two out of 10 Web applications were found to be vulnerable to types of SQL injection attacks that could result in a direct compromise of the application’s back-end database by an attacker or reveal sensitive information useful to an attacker.
• Information leaks and exposures, Cross-Site Scripting and Authorization and Authentication were among the most prevalent vulnerabilities.