In its annual security trends study, IBM Internet Security Systems' X-Force security research unit offers a look at some of the key trends and developments of 2008. One of its chief conclusions: Watch your Web apps.
"Nearly 55 percent of all vulnerability disclosures in 2008 affect Web applications, and this number does not include custom-developed Web apps -- only off-the-shelf packages," the report says. "Seventy-four percent of all Web application vulnerabilities had no available patch to fix them by the end of 2008."
This patching problem extends beyond the Web application space, IBM ISS's X-Force says. "Of all the vulnerabilities disclosed in 2008, only 47 percent can be corrected through vendor patches," the report says. "Vendors do not always go back to patch the previous year's vulnerabilities. Forty-six percent of vulnerabilities from 2006 and 44 percent from 2007 were still left with no available patch at the end of 2008."
Among Web application vulnerabilities, SQL injection jumped 134 percent in 2008 and now replaces cross-site scripting as the top Web app flaw, the report states. "Exploitation of sites vulnerable to SQL injection has increased from an average of a few thousand per day, when they first took hold in 2008, to several hundred thousand per day at the end of 2008," it says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message