Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti

Nine out of 10 custom-built web applications vulnerable to attack


Almost nine out of 10 custom-built web-facing applications contain severe vulnerabilities that could expose organisations to a serious attack, according to an expert at HP.

"Some 86 per cent of the web applications that we analysed as part of HP Fortify had an SQL injection vulnerability of some kind of other," said Simon Leech, pre-sales director EMEA at HP.

An SQL injection vulnerability enables an attacker to compromise the database back-end of an application by entering SQL commands – often disguised as a legitimate query – into a web-facing interface. Recent attacks against Sony, for example, which yielded customers' credit card details, and RSA Security were perpetrated using SQL injection attack techniques. It is also a favoured technique of hacking groups Anonymous and LulzSec, according to Leech.

Custom-developed applications are at greater risk than commercially developed applications because fewer people and organisations are testing them regularly for potential vulnerabilities.
"If a bank or insurance company develops a piece of software, it will become a nice target for someone to break into if they find a vulnerability, because there's nobody actively patching it or particularly looking after it," said Leech.

Even in commercial software, while the number of vulnerabilities fell from a record high in 2006, their severity has increased, said Leech. The 2006 peak, he added, was when "fuzzing" was at its height – a automatic or semi-automatic software testing technique used to find holes in commercial software, although they would not necessarily be serious flaws.

Today, though, serious security vulnerabilities – ones that could expose an application to remote code execution and, hence, the "pwning" of a system by an attacker – account for one-quarter of all reported security flaws in commercial software.

Rise of the bounty hunters

On top of that, many security flaws are being publicised before they are reported to vendors due to the rise of software vulnerability "bounty hunters", people or organisations who make a living from finding vulnerabilities and selling their research – either to subscribers of a service or to the highest bidder.

A vulnerability "middle man", who goes by the codename of Grugq, reportedly sold a serious flaw in Apple's iOS mobile operating system that he had acquired for $250,000 (£155,000) to an undisclosed client.
"He said that considering the speed with which the organisation paid for that vulnerability, he felt that he could almost certainly have got a lot more money for it," said Leech.

Companies such as Vupen Security, FinFisher IT Intrusion and HackingTeam even buy zero-day vulnerabilities, exploits and remote monitoring tools to sell to their list of clients before software vendors are informed of the problems. As a result, a market in vulnerabilities has grown, with prices ranging from $5,000-$10,000 (£3,000-£6,000) for security holes in Android, Google's open-source mobile operating system, all the way to $250,000 (£155,000) for flaws found in iOS, Apple's iPhone and iPad OS.

Apple iOS flaws are valued so highly, partly because the market is large and users are everywhere, but also because those users tend to be more affluent, making them a prime target. New versions of Android, meanwhile, are being released at such a pace that even the hackers can barely keep up.

Security research companies have been criticised for finding and publicising flaws among their subscribers before the vendors have been informed.

One, Vupen, even crafted an exploit for a flaw it found in Google's Chrome browser: a "drive-by" exploit that downloaded and ran a piece of software in the background when a user visited a particular web site that it had set up.

Critics say the company was irresponsible to publicise and demonstrate the security flaw before informing Google, who then would have been able to rush out a patch.







11/05/12    Çap et