Click here to receive your FREE subscription to Campus Technology
News
Study: The Year's Top-10 Web Application Vulnerabilities
3/3/2008
Extra Credit The phrase "Web 2.0" has very little real meaning, as it refers more to Web application concepts than any specific technologies. Nevertheless, tools that are generally considered Web 2.0 have come under fire from several directions for the security vulnerabilities they represent. More Information: Web 2.0 Threats Loom Large for IT Campus Technology's Security Page Application Security Trend Report for Q4 2007 (PDF) --D. Nagel |
Web applications, by far, dominate the list of application security vulnerabilities facing IT organizations. While 29 percent of vulnerabilities are attributable to network and infrastructure weaknesses, a full 71 percent are attributable to both open source and commercial Web applications, according to a report released recently by security firm Cenzic Inc., "Application Security Trend Report for Q4 2007."
On the whole, according to the report, Web application vulnerabilities increased 3 percent in the fourth quarter of 2007 compared with the third quarter. And actual attacks and probes increased from 1.3 million in October 2007 to 1.7 million in December 2007.
The highest percentage of incidents came in the form of probes, attempted access, and scans, accounting for 59 percent of incidents in the fourth quarter. Others included investigation (16 percent), "improper usage" (10.3 percent), unauthorized access (7.6 percent), malicious code (6.9 percent), and denial of service (0.2 percent).
Web 2.0 Issues
In addition to general Web application vulnerabilities, the report highlights several vulnerabilities in technologies used in the development of Web 2.0 applications, adding to a growing list of reports targeting Web 2.0. (See sidebar for more.) These technologies and protocols, spotlighted in the report, include:
- AJAX (Asynchronous Javascript and XML)
- XML (eXtensible markup language)
- SOAP (Service Oriented Architecture Protocol or Simple Object Access Protocol)
- REST (Representational State Transfer)
- Javascript and Java
- Adobe Flash and Flex
- Active X controls
- Microsoft Silverlight
- RSS, RDF, and Atom
For the second half of 2007, these technologies combined represented some 178 identifiable vulnerabilities, with Active X by far the largest culprit at 111 individual vulnerabilities. (Flash came in second with 23, RSS in third with 14, and AJAX in fourth with 10.)
Recommended Reading
- Security Researchers Uncover Spring Framework Vulnerability
Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.
- 3PAR Server Arrays Integrate Fat-to-Thin Processing
Utility storage provider 3PAR has announced the release of the 3PAR InServ T400 and T800 Storage Servers. The new hardware is built on the company's third-generation InSpire architecture, featuring the 3PAR Gen3 ASIC with integrated fat-to-thin processing.
- CUNY, Red Hat, Intel To Launch Open Source Test Center
City University of New York (CUNY) is partnering up with Intel and Red Hat to launch a new software institute dedicated to open source software. The center, New York City Open Source Solutions Lab, based out of the CUNY Graduate Center, will serve as a test bed for government IT professionals in New York who are working with open source solutions.
- Adobe Makes ColdFusion 8 Free for Students, Educators
Adobe has made its ColdFusion 8 Web development platform free for educators and students. The offer is available for all public and private accredited K-12 schools and colleges and universities.
- Gathering Your Digital Pencils for Back-to-School
Trent Batson considers a list of back-to-school resources for Web 2.0.
- Tips for Getting Started with Educational Wikis
Campus Technology speaks with wiki expert Stewart Mader, who discusses choosing between commercial and open source wiki products, getting started with a wiki, and why Wikipedia is the single biggest stumbling block to wikis in higher education.
