Unpatched, in-house applications are the next target for attackers

Hackers are moving from infiltrating and attacking companies via commercial applications to exploiting in-house programs.

According to HP's 2011 Top Cyber Security Risks Report, while publicly disclosed vulnerabilities continue to decline year on year, and there were 19.5 per cent fewer in 2011 than in 2010, the market for private vulnerability sharing increased. However, it claimed that vulnerabilities in custom-built applications are escalating.

Talking to SC Magazine, Simon Leech, pre-sales director EMEA at HP Enterprise Security, said attackers are moving to in-house-developed applications as the attack vectors are moving from opportunistic attacks to more targeted ones.

He said: “Vendors will not have signatures to patch vulnerabilities on in-house applications. Our research found that 54 per cent of in-house applications had reflected cross-site scripting (XSS) flaws; 40 per cent had persistent XSS failings; and 86 per cent injection flaws. Protecting and fixing these applications is becoming very relevant to protecting the infrastructure.

“These applications were written in-house and no one expected them to be on the internet, so to produce secure code becomes very important.”

The report also found that the disclosure of new vulnerabilities in commercial applications has slowly declined since 2006, dropping nearly 20 per cent in 2011 from the previous year. However, data from the report demonstrates that this decline does not signify decreased risk.

It also found that attacks via exploit kits vastly increased in 2011, with a marketplace developing to trade kits and rewrite code so that it is undetectable by anti-virus software.

Sign up to our newsletters