Click here to receive your FREE subscription to Campus Technology
News
Study: The Year's Top-10 Web Application Vulnerabilities
3/3/2008
Extra Credit The phrase "Web 2.0" has very little real meaning, as it refers more to Web application concepts than any specific technologies. Nevertheless, tools that are generally considered Web 2.0 have come under fire from several directions for the security vulnerabilities they represent. More Information: Web 2.0 Threats Loom Large for IT Campus Technology's Security Page Application Security Trend Report for Q4 2007 (PDF) --D. Nagel |
Web applications, by far, dominate the list of application security vulnerabilities facing IT organizations. While 29 percent of vulnerabilities are attributable to network and infrastructure weaknesses, a full 71 percent are attributable to both open source and commercial Web applications, according to a report released recently by security firm Cenzic Inc., "Application Security Trend Report for Q4 2007."
On the whole, according to the report, Web application vulnerabilities increased 3 percent in the fourth quarter of 2007 compared with the third quarter. And actual attacks and probes increased from 1.3 million in October 2007 to 1.7 million in December 2007.
The highest percentage of incidents came in the form of probes, attempted access, and scans, accounting for 59 percent of incidents in the fourth quarter. Others included investigation (16 percent), "improper usage" (10.3 percent), unauthorized access (7.6 percent), malicious code (6.9 percent), and denial of service (0.2 percent).
Web 2.0 Issues
In addition to general Web application vulnerabilities, the report highlights several vulnerabilities in technologies used in the development of Web 2.0 applications, adding to a growing list of reports targeting Web 2.0. (See sidebar for more.) These technologies and protocols, spotlighted in the report, include:
- AJAX (Asynchronous Javascript and XML)
- XML (eXtensible markup language)
- SOAP (Service Oriented Architecture Protocol or Simple Object Access Protocol)
- REST (Representational State Transfer)
- Javascript and Java
- Adobe Flash and Flex
- Active X controls
- Microsoft Silverlight
- RSS, RDF, and Atom
For the second half of 2007, these technologies combined represented some 178 identifiable vulnerabilities, with Active X by far the largest culprit at 111 individual vulnerabilities. (Flash came in second with 23, RSS in third with 14, and AJAX in fourth with 10.)
Recommended Reading
- DePaul Sets the Bar in Student Relationship Management
When colleges and universities consider a constituent relationship management (CRM) initiative, they all too often focus on the technology while failing to consider the underlying philosophy behind CRM. That's according to Audrey Bledsoe, who is manager of CRM technologies at DePaul University in Chicago.
- DePaul Sets the Bar in Student Relationship Management
When colleges and universities consider a constituent relationship management (CRM) initiative, they all too often focus on the technology while failing to consider the underlying philosophy behind CRM. That's according to Audrey Bledsoe, who is manager of CRM technologies at DePaul University in Chicago.
- DePaul Sets the Bar in Student Relationship Management
When colleges and universities consider a constituent relationship management (CRM) initiative, they all too often focus on the technology while failing to consider the underlying philosophy behind CRM. That's according to Audrey Bledsoe, who is manager of CRM technologies at DePaul University in Chicago.
- DePaul Sets the Bar in Student Relationship Management
When colleges and universities consider a constituent relationship management (CRM) initiative, they all too often focus on the technology while failing to consider the underlying philosophy behind CRM. That's according to Audrey Bledsoe, who is manager of CRM technologies at DePaul University in Chicago.
- Moodle Gets SCORM Improvements, Security Fixes
New versions of Moodle have been released, bringing the most recent stable build to 1.9.3. The latest round of updates includes a number of bug fixes and security enhancements, as well as improvements to the SCORM module.
- Free 'Morro' Antivirus To Replace Microsoft OneCare
Microsoft is rolling out a free antivirus software program for consumers that will compete with products made by Symantec and McAfee. Code-named "Morro," the AV app is expected to be available by the end of 2009.
