Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/16/2012
11:49 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

New Report Finds Core Vulnerabilities Persist In Web Applications

Cenzic details prevalence of critical application layer vulnerabilities, such as Cross Site Scripting (XSS) and SQL Injection

Campbell, Calif. – April 12, 2012 – Cenzic Inc., the leading provider of application security intelligence to reduce security risks, today announced the release of the Cenzic Trends Report for 2011 through Q1 2012. The report details the continued threat of vulnerabilities within Web applications, mobile applications, and outlines specific vulnerabilities with cloud-based implications. The report reveals an alarming trend for security professionals, in the form of continued prevalence of critical application layer vulnerabilities, such as Cross Site Scripting (XSS) and SQL Injection. Though there are existing fixes for these well known vulnerabilities, these flaws continued to dominate with XSS climbing to a staggering 38 percent of total Web vulnerabilities, increasing slightly from the second half of 2010. SQL Injection accounted for 15 percent of the total number of Web vulnerabilities. “As businesses worry about the next big security threat, they fail to realize the threats that are right in front of them,” said John Weinschenk, CEO of Cenzic. “From an industry-wide perspective, the fact that the amount well known vulnerabilities continue to persist is a signal that education, diligence, and proper coding during the development phase are a necessity in today’s cyber world. Real change can only happen by adhering to these principles.”

The Trends Report also details the vulnerabilities related to cloud and mobile device usage, noting a total of 89 mobile vulnerabilities were made public in 2011, while out of a set of 1201 publically reported vulnerabilities 855 had cloud based security implications. As mobile devices continue to be used to access online cloud computing platforms, emerging hybrid vulnerabilities haved developed as well. “The growing demand for cloud applications and mobile devices that access them is creating a unique problem,” continued Weinschenk. “Each has its own set of security issues, but when used in tandem, they can produce hybrid vulnerabilities that compound threats and increase the complexity of secure coding. By exploiting vulnerabilities in a mobile application a hacker can open up an attack vector to a preexisting vulnerability on the cloud based application, and vice versa.”

Key findings of the Cenzic Trends Report include: Web vulnerabilities

· In the first two months of 2012, 59 percent of all reported security vulnerabilities were Web vulnerabilities

· In 2011, Cross Site Scripting (XSS) accounted for 38 percent of total Web vulnerabilities

Mobile vulnerabilities

· A total of 89 mobile vulnerabilities were made public in 2011 and so far in 2012 (Jan-Feb) 11 mobile vulnerabilities have been made public.

· Sensitive Information Disclosure (28 percent) and Session Authentication and Authorization (28 percent) make up the bulk of the vulnerabilities.

Cloud vulnerabilities

· In 2011, out of a set of 1201 publically reported vulnerabilities 855 had cloud based security implications

· Specific security vulnerabilities were found in cloud-based applications including EyeOS, OrangeHRM, The Parallels Plesk Panel, Oracle Fusion Middleware, Batavi E Commerce, deV!ls ClanPortal, and more. To download a PDF version of the full report, please visit http://info.cenzic.com/2012-Applicaiton-Security-Trends-Report.html

Important Links Cenzic Mobile Application Security Solution Cenzic Website Cenzic Twitter Cenzic Facebook Tweet this: Cenzic report reveals new stats on Web security, vulnerabilities

About Cenzic Cenzic provides the leading application security intelligence platform to continuously assess Cloud, Mobile and Web applications to reduce online security risk. Cenzic’s solutions scale from single applications to enterprise-level deployments with hybrid approaches that enable testing of applications at optimal levels. Cenzic helps brands of all sizes protect their reputation and manage security risk in the face of malicious attacks. Cenzic's solutions are used in all parts of the software development lifecycle, and most importantly in production, to protect against new threats even after the application has been deployed. Cenzic's application security intelligence platform is architected to handle web, cloud and mobile applications and is the first to provide risk reduction recommendations for business, application developers and specific applications. Today, Cenzic secures more than half a million online applications and trillions of dollars of commerce for Fortune 1000 companies, all major security companies, government agencies, universities and SMB companies.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...