Cenzic, a California-based Web application security company, released these findings in its February 2013 report, which also details why these vulnerabilities aren't getting better.
Technology is available to help developers test their software during development and production so creators understand the flaws before releasing these products to public- and private-sector customers, but budget constraints often prevent them from completing these assessments.
“Ultimately I’ve heard many stories of organizations saying they don’t even want us to scan their applications because they don’t have the budget to fix what they find,” said Scott Parcel, chief technology officer of Cenzic, which offers such a tool.
This alarming trend has continued for a while, according to the company, which also found that 99 percent of Web applications tested in 2011 had vulnerabilities, though one significant difference was in the median number of vulnerabilities found per application: 13 vulnerablities found in 2012, down from 18 in 2011.
Cenzic touts these findings as a warning to information security and application development personnel that hackers can easily exploit what’s built.
Vulnerabilities detected include the following:
- Cross-site scripting (XSS) – 26 percent
- Information leakage and session management – both 16 percent
- Authentication and authorization – 13 percent
- Cross-site request forgery – 8 percent
- SQL injection – 6 percent
- Web server version – 5 percent
- Remote code execution – 5 percent
- Web server configuration – 3 percent, and
- Unauthorized directory access – 2 percent.
Parcel said he feels that the public sector could play a role in fixing some of these problems, but he’s unsure if the government will act.
“Government efforts around cybersecurity [are] to try to invest in improving things for the whole country, not just for the government,” Parcel said, though he didn’t name any specific actions the government has taken or attempted. “And that, I see, is woefully mis-coordinated and really just not tackling the problem. They keep making all kinds of bold announcements, and then not doing much in the realm of Web application security.”
Dan Lohrmann,