Popular vendors including Sun, IBM, and Apache continue to be among the top 10 most vulnerable Web applications named. The most common published exploits on commercial applications were SQL Injection and Cross Site Scripting (XSS) vulnerabilities, which account for 25 percent and 17 percent of all Web attacks, respectively. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser.
"The fact that hackers can have direct access to your data using such common outlets is staggering," said Mandeep Khera, chief marketing officer at Cenzic. "The worst part is that once they get in, it's a free for all. Nothing is safe because there is no such thing as a minor data breach. The average data breach can cost more than $500,000, which can also put a business' livelihood and reputation on the line. The most surprising thing that we discovered while writing the Cenzic Trends Report, however, is that in spite of the fact that vulnerabilities are so easily identifiable and widely exploited by hackers, and there are now low cost turn-key SaaS solutions available, businesses are not focused on securing their Web applications. They are a serious and potentially lethal blind spot for businesses. With the holiday shopping season approaching, all we can say is consumer beware."
Findings from Cenzic's Q1-Q2 Trends Report point to the continued growth of attacks through Web applications. Web application vulnerabilities continue to make up the largest percentage of the reported vulnerability volume, with roughly 78 percent of all vulnerabilities resulting from them.
Cenzic Application Security Trends Report Q1-Q2 2009
The Cenzic Application Security Trends Report emphasizes the Top 10 Web application vulnerabilities from published reports in Q1-Q2 2009, illustrating trends among thousands of corporations, financial institutions and government agencies. The top 10 vulnerabilities for the first half of 2009 included familiar names such as Sun, IBM, Mozilla, Apache, and Safari, where most Web applications were found to have vulnerabilities related to information leaks and exposures, Cross-Site Scripting, and session management.
As part of the study, Cenzic incorporated findings from Cenzic ClickToSecure, its leading-edge managed security assessment (SaaS), and research from Cenzic Intelligent Analysis (CIA) Labs. Some key findings include:
-- 78 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX, which is a significant increase from last year.
-- Of Web browser vulnerabilities, Firefox had the largest percentage, at 44 percent. Safari vulnerabilities came in at 35 percent, significantly higher than even Internet Explorer.
-- Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities for the first half of 2009.
To download a PDF version of the Q1-Q2 Trend Report, please visit http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf.
In addition, to learn how your company can receive a free analysis of its potential Web vulnerabilities with Cenzic's recently announced HealthCheck program, please visit: https://www.cenzic.com/GetHealthCheck/. This new program continues Cenzic's goal of ensuring every Web site in the world is secure, preventing cybercrime and ending the exploits that hackers employ.
Cenzic is the next-generation Web application security assessment and risk management solutions leader. The Cenzic suite of application security solutions fits the need of any company from remote, Software as a Service (ClickToSecure'), for testing one or many applications, to a full enterprise-wide solution (Cenzic Hailstorm' Enterprise ARC) for effectively managing application security risks across an enterprise. Always an innovator, Cenzic has integrated Hailstorm with VMware to enable testing of production Web applications through virtualization -- making Cenzic the only company in the industry with a complete solution for assessing Web applications in all stages from development to production. In addition, Cenzic solutions, targeted at financial services, e-retail, high-tech, energy, healthcare and government sectors, are the most accurate, comprehensive and extensible in the industry, empowering organizations to stay on top of unrelenting application security threats.