Vulnerabilities / Threats
7/31/2007
09:25 AM
Connect Directly
RSS
E-Mail
50%
50%

Report: Rise in Web App Vulnerabilities

Cenzic released its Application Security Trends Report - Q2 2007

SANTA CLARA, Calif. -- Cenzic Inc., the innovative leader of application vulnerability assessment and risk management solutions, today released its Application Security Trends Report - Q2 2007, proving once again that organizations are failing to optimize their Web application security methods. While this report highlights the Top 10 vulnerabilities from published reports in Q2 2007, Cenzic estimates there are thousands of vulnerabilities that remain unpublished due to the lack of reports and the vast amounts of home grown applications. It is estimated that there are more than 100 million Web applications that facilitate transactions and collection information, yet less than five percent of applications are tested for vulnerabilities. The report provides a thorough analysis of reported vulnerabilities, Web application probes, attack statistics and key findings.

"We are at a critical stage when it comes to securing Web applications. With less than one percent of applications tested, millions of applications are vulnerable and ripe for hackers," said Mandeep Khera, VP of marketing for Cenzic. "Even the organizations that do test are still focused on testing only the applications in the development or Quality Assurance stage. With 99 percent of the applications in the production stage at any given point, these corporations are extremely exposed and vulnerable. They will get hacked. It's not a question of if but when."

"Our analysis for Q2 illustrates a very high percentage of published vulnerabilities in Web technologies, similar to the Q1 findings. This is a clear indication that network security is maturing, while application security is in its early stages," said Tom Stracener, senior security analyst at Cenzic. "While our analysis shows top vulnerabilities in Java, Apache, Apple and PHP applications, these reflect only the published vulnerabilities. There still remain thousands of vulnerabilities that are not published or reported."

Cenzic Inc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.