Application weaknesses double as networks tighten up
An analysis of 100 security tests carried out over the past five years shows that application level weaknesses are up by 50 per cent.
Baseline security tests carried out since the beginning of 2004 were scrutinised in terms of both network and application layers by security services provider Orthus. The tests were carried out over industry sectors including banking, insurance, finance, retail, manufacturing, transport, utilities, health and education.
The study revealed nearly 2,000 vulnerabilities overall. At least one security vulnerability was found at network level in all tests and 97 per cent found at least one vulnerability at application level.
But network layer weaknesses had dropped from an average of 14 per test in 2004 to an average of six in tests carried out in 2008, representing a drop of 57 per cent. This contrasted with the rise in application level weaknesses from eight per test in 2004 to 12 per test in 2008 – a rise of 50 per cent.
Other worrying findings include a 25 per cent increase in SQL injection and other weaknesses; cross-site scripting went up by 23 per cent.
Richard Hollis, managing director of Orthus, said: “Security teams are getting better at eradicating network and operating system related issues but the application layer is less well addressed. Companies need to adopt secure coding guidelines as part of a comprehensive secure software development lifecycle. It can be done. The three per cent of applications that were extremely well-written and configured when tested are proof of that.”
He recommended that organisations that outsource web application development should provide security standards to partners and insist on periodic independent code reviews, as well as application testing of all major releases. Issues fixed in one release “have a habit of reappearing in the next”, he warned.
Application layers are increasingly targeted so that marketable information can be extracted from a backend database.