Are Those Web Applications Secure?
In 2001, 75 percent of cyber-attacks and Internet security violations were generated via Internet applications, according to analyst firm Gartner. Now, nearly three years later, WebCohort, Inc., a leader in Web application security, says those Web applications are still not secure.
In January 2004, the Federal Trade Commission announced that Internet-related fraud had led to more than half a million consumer complaints in 2003, with estimate losses of $200 million in the United States alone. Many of these losses can be blamed on unsecured Web applications, which leave a door open for hackers and for Internet fraud.
WebCohort’s Application Defense Center studied four years of penetration testing on more than 250 Web applications, including e-commerce, online banking, enterprise collaboration and supply chain management sites, and concluded that at least 92 percent of Web applications are vulnerable to attack.
The most common application-layer vulnerabilities include:
- Cross-site scripting (80 percent)
- SQL injection (62 percent)
- Parameter tampering (60 percent)
- Cookie poisoning (37 percent)
- Database server (33 percent)
- Web server (23 percent)
- Buffer overflow (19 percent)
For more detailed descriptions of these vulnerabilities, go to http://www.imperva.com/application_defense_center/glossary/.
These types of attacks are common, yet many enterprises have not secured their Web sites, their applications or their servers against them. Firewalls and intrusion detection or prevention systems do not provide an adequate level of protection from hackers.
According to Shlomo Kramer, CEO of WebCohort, increased network security has led hackers to see Web applications as easier targets. “We are only beginning to see the risks to businesses and consumers these vulnerabilities introduce,” he said.
For more information, see http://www.webcohort.com.
Emily Hollis is managing editor for Certification Magazine. She can be reached at firstname.lastname@example.org.