CARLSBAD, Calif. -- Breach Security Labs, the research arm of Breach Security, Inc., the leading provider of real-time, continuous web application security, today announced the findings of its annual Web Hacking Incident Report. Based on data gathered in 2007 through the Web Hacking Incidents Database (WHID) project overseen by the Web Application Security Consortium (WASC), the findings indicate that 40 percent of attacks were waged to harvest personal data. Sixty-seven percent of all attacks in 2007 were for-profit motivated. Claiming over 20 percent of the total, SQL injections dominate as the most common techniques used in the attacks. Breach Securitys vice president of security research, Ofer Shezaf, is the WHID project leader.
Established in 2005, the WHID focuses on reported web hacking incidents, enabling researchers to go beyond a basic-level discussion of web vulnerabilities and provide deeper analysis of real-world incidents such as the types of sites, motivation, source and impact of each attack. Among the criteria required for incidents to be named in the 2007 WHID Web Hacking Incident Report, they must be publicly reported, associated with web application vulnerabilities and have an identified outcome.
The 2007 WHID data indicates that more than 44 percent of incidents over the course of the year were tied to non-commercial sites such as government and education. WHID researchers speculate that these numbers are potentially influenced by a higher rate of disclosure at such organizations due to laws requiring public disclosure of breaches in which sensitive information was leaked.
On the commercial side, poorly designed or vulnerable web applications were most commonly exploited from Internet-exclusive businesses such as social networking, search engine and hosting providers. With member numbers on social networking sites exceeding the tens of millions, this is especially worrisome. As membership grows, the impact of these attacks could increase exponentially.
Web application security is about visibility, said Jeremiah Grossman, WASC co-founder and CTO of WhiteHat Security. As researchers, its vital that we are able to see what the hackers can exploit, what they are exploiting, examine why and how, and based on this, trend where theyre going to exploit next."