Cenzic's Applications Security Trends report saw continued growth of vulnerabilities and increase in attacks through Web applications. The total number of reported vulnerabilities went up to almost 3100, an increase of over 10%, and the percentage of Web vulnerabilities continued to be dominate at around 78%.

Of the Web vulnerabilities, 90% pertained to code in commercial Web applications, while Web browsers comprised about 8% and Web servers about 2% Of the browser vulnerabilities, Firefox had 44% of the total, but perhaps the biggest surprise was Safari, which formed 35% of the browser vulnerabilities. Internet Explorer was third, with 15% and Opera was at 6%

Of the published vulnerabilities in Commercial Off The Shelf (COTS) applications, SQL Injection, and XSS were once again the most common vulnerabilities, no coincidence that most of the attacks in first half exploited these two vulnerabilities.

Based on thousands of assessments by Cenzic’s managed service, 9 out 10 applications continue to be vulnerable with Information Leaks, Cross Site Scripting, Authentication Flaws, and Session Management as the most common categories.

The top 10 vulnerabilities for the first half of 2009, included familiar names such as Sun, IBM, SAP, PHP, and Apache. In terms of progress, a significant number of companies have started testing their Web applications for vulnerabilities. Payment Card Industry (PCI), California AB1950, and other regulations continue to be the driving force behind most of these initiatives.

Data breaches can cost more than $500K per breach. According to Ponemon Institute, the cost of a data breach can be $202 per record. So, even for a small company with 5,000 records, that’s over $1m. Non-compliance with regulations can put businesses in jeopardy. Hacked sites can scare away consumers and lead them to seek out a competitors’ site.

And, yet most companies are not focusing on securing Web applications. The main reason continues to be lack of understanding and knowledge. There are many myths around Web security that lead people into a false sense of security. Many IT professionals still believe that having a network firewall, IDS, SSL certificate, etc. will protect them from hackers attacking their Web sites. It’s like having locks on your front door but leaving your windows and side doors wide open and hoping that burglars will only try to come through the front door
.
Most companies don’t realize that information on how to secure your Web applications is easily available. Organizations like OWASP  and NISTare doing a great job of educating companies on these issues. Getting a jump start in having applications tested is very easy with the SaaS/managed service solutions.                                       Mandeep Khera