With the Black Hat security conference under way in Las Vegas, the
pace and volume of security related news is just warming up. To help get it started, security analysis vendor Cenzic today issued its second-quarter Application Security Trends report claiming that, once again,
vulnerabilities are on the rise.
But is Cenzic just fear mongering with its recent report? Mandeep Khera, vice president of marketing at Cenzic, doesn’t think so at all.
“In fact, if anything, we believe that companies need to be more scared,”
Khera said. “Corporations need to wake up and realize that they are being
hacked all the time through their Web applications. Growing Web
vulnerabilities is just a symptom. We have a long way to go in protecting
our infrastructure when it comes to Web applications. We better start right
now or we’ll never catch up.”
The Cenzic study identified 1,484 unique published vulnerabilities in the
second quarter of 2007. Seventy-two percent of the vulnerabilities were found in Web technologies, a 7 percent increase from the previous quarter. Perhaps more alarmingly Cenzic has classified the bulk
of the web vulnerabilities as being easily exploitable.
Or are they?
Cenzic’s studies noted a number of vulnerabilities in both PHP and the
Apache HTTP Web Server. But Cenzic didn’t discover the vulnerabilities. Instead, Khera admitted, the firm only analyzed the published vulnerabilities.
In the case of the Apache HTTP and PHP issues, patches for the
vulnerabilities listed by Cenzic have been issued by their respective
developers. Khera noted that the question to ask is how many
companies have applied the patch?
However, even if users have patched their software, Khera admitted that Cenzic
hasn’t tested to see whether the patches work.
The real danger that the Cenzic report highlights is the risk from
unpublished vulnerabilities. Cenzic claims that there are thousands of them
and that they are usually in homegrown applications, but that’s not always
“In the past, we have found vulnerabilities in Oracle and Yahoo but Cenzic
believes in following a responsible vulnerability disclosure policy,” Khera
said. “We inform the vendors and give them up to 45 days to fix the
vulnerability and let their customers know before we release to the public.”
Not all security researchers are as ethical as Cenzic claims to be. Khera
alleged that there are many ethical hackers and even app security vendors
who do not follow a responsible disclosure policy. To add further insult to
injury Khera alleged that some ethical hackers and app security vendors even
attack other sites to prove that they have vulnerabilities on their sites.
“These guys then post messages on various message boards claiming that they
found vulnerabilities on those sites,” Khera stated. “We believe that this
approach is not only amateurish, and irresponsible but also illegal since
they are attacking without authorization.”
Cenzic expects that attacks on Web
applications will continue to grow. With Khera expecting that compliance
issues and disclosure policies will force companies to make more attacks
The types of attacks that are expected in the future are the same that
Cenzic sees today — namely cross site scripting (XSS), Cross-Site Request
Forgery, and Session Management types of vulnerabilities. The Q2 Cenzic
report alleges that 60 percent of Web applications are vulnerable to XSS.
In contrast Cenzic reported that only 20 percent of Web applications were
vulnerable to SQL injection types of attacks.
Khera alleged that because most developers are under time pressure they
might not code with XSS in mind.
“On the positive side, we think a lot more companies will start using some
kind of solution to test their applications as the awareness is growing
rapidly,” Khera said.