Click here to receive your FREE subscription to Campus Technology
News
Study: The Year's Top-10 Web Application Vulnerabilities
3/3/2008
Extra Credit The phrase "Web 2.0" has very little real meaning, as it refers more to Web application concepts than any specific technologies. Nevertheless, tools that are generally considered Web 2.0 have come under fire from several directions for the security vulnerabilities they represent. More Information: Web 2.0 Threats Loom Large for IT Campus Technology's Security Page Application Security Trend Report for Q4 2007 (PDF) --D. Nagel |
Web applications, by far, dominate the list of application security vulnerabilities facing IT organizations. While 29 percent of vulnerabilities are attributable to network and infrastructure weaknesses, a full 71 percent are attributable to both open source and commercial Web applications, according to a report released recently by security firm Cenzic Inc., "Application Security Trend Report for Q4 2007."
On the whole, according to the report, Web application vulnerabilities increased 3 percent in the fourth quarter of 2007 compared with the third quarter. And actual attacks and probes increased from 1.3 million in October 2007 to 1.7 million in December 2007.
The highest percentage of incidents came in the form of probes, attempted access, and scans, accounting for 59 percent of incidents in the fourth quarter. Others included investigation (16 percent), "improper usage" (10.3 percent), unauthorized access (7.6 percent), malicious code (6.9 percent), and denial of service (0.2 percent).
Web 2.0 Issues
In addition to general Web application vulnerabilities, the report highlights several vulnerabilities in technologies used in the development of Web 2.0 applications, adding to a growing list of reports targeting Web 2.0. (See sidebar for more.) These technologies and protocols, spotlighted in the report, include:
- AJAX (Asynchronous Javascript and XML)
- XML (eXtensible markup language)
- SOAP (Service Oriented Architecture Protocol or Simple Object Access Protocol)
- REST (Representational State Transfer)
- Javascript and Java
- Adobe Flash and Flex
- Active X controls
- Microsoft Silverlight
- RSS, RDF, and Atom
For the second half of 2007, these technologies combined represented some 178 identifiable vulnerabilities, with Active X by far the largest culprit at 111 individual vulnerabilities. (Flash came in second with 23, RSS in third with 14, and AJAX in fourth with 10.)
Recommended Reading
- HP Labs Seeks Help with Research from Academia
HP has launched a new research program that invites colleges, universities and research institutions to participate in joint research with HP Labs, the company's central research facility, through an open and competitive process.
- Aplia Launches Web-based Interactive Homework System
Cengage Learning's Aplia division has launched a new Web-based homework system called Grade It Now. The system combines aspects of practice problems with graded problems to encourage students to improve results as they work.
- CTP2 of Windows PowerShell V2 Released
Microsoft released Community Technology Preview 2 (CTP2) for Windows PowerShell Version 2, according to an announcement issued last Friday.
- Business Intelligence Tool Means Healthy Data at UVA
University IT groups will recognize the challenge of combining disparate data from more than one department in order to create meaningful reports for various users. At the University of Virginia Department of Medicine, which is overseen by UVA's School of Medicine, data was coming from two very different accounting systems, which meant problems for faculty members whenever they needed to run reports.
- Exec Describes Microsoft's 'Social Networking' Vision
A Microsoft executive involved with the company's Windows Live efforts outlined some of the company's ideas about cloud-based computing and social networking technologies Tuesday. The talk was presented by Brian Hall, general manager of the Windows Live Business Group, at the 2008 Merrill Lynch Technology Conference May 6.
- Graduate School, USDA Standardizes on Adobe Acrobat Connect Pro for E-learning
The Graduate School, USDA has standardized on Acrobat Connect Pro, a Web conferencing and e-learning platform from Adobe Systems. The school is a self-sustaining government entity created 87 years ago by the United States Department of Agriculture to provide adult continuing education.
