80% of security vulnerabilities related to the Web are applications, according to a new report from Cenzic, Inc. Chief among the vulnerable? Browsers, with Microsoft's Internet Explorer and Mozilla's Firefox leading the list b a long shot.Reading bMighty with a browser? Of course you are -- and if you're using either IE or Firefox, of course you know that you're using vulnerable technology.
A new security trends report from Cenzic, Inc. found that in the second half of 2008. IE had the most reported vulnerabilities, with 43%. Firefox fans can't throw too many stones, though: according to Cenzic, Firefox came in a close second with 39% of reported browser vulnerabilities. Apple's Safari drew 10% of the reports, while Opera accounted for 9%.
But browsers are nothing compared to Web apps. A breathtaking 80% of vulnerabilities resorted in the second half of 2008 involved Web-based applications.
Overall numbers were up, too, by 10%, to 2,835 reported vulnerabilities.
The vulnerability assessment and risk management company's Top Vulnerabilities List includes the following Web application areas of concern:
* SQL Disclosure
* Forceful Browsing Past Authorization Boundary
* Insufficient Password Strength
* Cross-Site Scripting
* Buffer Overflow
* Command Injection
* SQL Parser
* All Forms Submitted via SSL
* SQL Disclosure * Forceful Browsing Past Authorization Boundary * Insufficient Password Strength * Cross-Site Scripting * Buffer Overflow * Command Injection * SQL Parser * All Forms Submitted via SSL
That list should give you, your IT team and vendors plenty of pause (and plenty of matters to address/redress while you pause) -- and the presence of weak passwords as a major vulnerability (no surprise there, of course) should send your strong password policy memo into circulation again, now. The entire Cenzic Web Applications Security Trends Report Q3-Q4 2008 can be downloaded here.