Cyber Security Institute

Monday, January 16, 2006

Web applications are easy targets

This year kicked off with yet another panic over a vulnerability in Windows, this time an image-handling flaw that exposed users to attack if they encountered a malicious Windows Metafile (WMF).  The WMF bug caused significant damage, but less than some expected, which may indicate that the industry is gradually learning to manage client security.

Operating systems, even Windows, are getting more secure.  Automatic software updates, running with limited user rights, safer web browsers and better firewalls are gradually making a difference.  By contrast, problems with web applications are harder to manage.

One issue is the thousands of insecure PHP or other web scripts that get installed and are never updated, even when the programmers come up with fixes.

Security experts at Netcraft, which audits web applications, typically find problems such as weak session management, SQL injection risks, buffer overflows and vulnerable debug code mistakenly left in production applications. 

In a paper presented at the JavaOne conference last year, Cisco security architect Martin Nystrom claimed that 95 percent of web applications have flaws, with 80 percent vulnerable to cross-site scripting attacks.

http://www.vnunet.com/itweek/comment/2148638/web-applications-easy-targets