Web applications have become an integral part of the corporate information system of any modern organization, regardless of the type of its activities. Own web resources provide not only commercial companies but also government agencies that develop web services to provide online services.
Despite all the advantages of web applications, vulnerability they are one of the most common methods of getting into corporate information systems. This is confirmed by statistical studies, which are held annually experts Positive Technologies.
The research focused resources 67 largest Russian public organizations and industrial sectors of telecommunications and IT (banking systems in a separate paper).
Note: The study analyzed data collected during the work on assessing the level of security of web applications in 2012.
The most common vulnerabilities
Among the 10 most common vulnerabilities included two critical - "Implementation of operators SQL» and "directory traversal", which are subject to a 33% and 18% of the surveyed web resources, respectively.
In 2012, the most widespread information disclosure vulnerability Fingerprinting, allowing to identify the software and prepare the base for the attack: this fault prone three-quarters of surveyed resources (73%). In second place with 63% - cross-site scripting (Cross-site Scripting). Almost half of the systems (46%) there are errors that can automatically pick up credentials and passwords (Brute Force).
image
Vulnerability specific to various means of web application development
According to the study, 83% of web applications developed in the language of PHP, contain critical vulnerabilities, the remaining 17% of such systems contain vulnerabilities medium and low risk. In second place Perl: almost a third of the vulnerability of systems contain a high level of risk.
image
Vulnerability specific to different Web servers
In 2012, the most vulnerable to high-risk vulnerabilities were Web-based applications using a web server Apache: 88% of them contain critical security flaws. In second place Tomcat - 75% of high-risk errors. Third place with 43% sensitive resources took Nginx, and became the most secure web server IIS (14%).
Recall that the results of the previous studies were more vulnerable web servers Nginx and Apache.
image
Most web servers vulnerabilities associated with errors of administration, the most common of which is the Information Leakage.
Vulnerability by industry
The maximum concentration of Web applications that contain vulnerabilities high risk was identified in the telecommunications industry - 78%. In the industrial sector, exactly half (50%) resource contains critical security flaws, followed by a small margin the following sites IT- and information security companies (45%). With regard to government organizations, approximately one in three (27%) of a web application in this area contains a high level of vulnerability risk.
image
findings
In general, compared to 2011 average level web application security has become a little higher: in particular, the proportion of sites that contain critical vulnerabilities decreased by 15% to almost 45%. Positive Technologies experts have found only one infected Web application, whereas previously 10% of websites containing malicious code. On the other hand, there are signs of stagnation: did not change the proportion of web applications with high-risk vulnerabilities in the industrial sector and telecom sector sites increase the level of security is very slow.
Despite all the advantages of web applications, vulnerability they are one of the most common methods of getting into corporate information systems. This is confirmed by statistical studies, which are held annually experts Positive Technologies.
The research focused resources 67 largest Russian public organizations and industrial sectors of telecommunications and IT (banking systems in a separate paper).
Note: The study analyzed data collected during the work on assessing the level of security of web applications in 2012.
The most common vulnerabilities
Among the 10 most common vulnerabilities included two critical - "Implementation of operators SQL» and "directory traversal", which are subject to a 33% and 18% of the surveyed web resources, respectively.
In 2012, the most widespread information disclosure vulnerability Fingerprinting, allowing to identify the software and prepare the base for the attack: this fault prone three-quarters of surveyed resources (73%). In second place with 63% - cross-site scripting (Cross-site Scripting). Almost half of the systems (46%) there are errors that can automatically pick up credentials and passwords (Brute Force).
image
Vulnerability specific to various means of web application development
According to the study, 83% of web applications developed in the language of PHP, contain critical vulnerabilities, the remaining 17% of such systems contain vulnerabilities medium and low risk. In second place Perl: almost a third of the vulnerability of systems contain a high level of risk.
image
Vulnerability specific to different Web servers
In 2012, the most vulnerable to high-risk vulnerabilities were Web-based applications using a web server Apache: 88% of them contain critical security flaws. In second place Tomcat - 75% of high-risk errors. Third place with 43% sensitive resources took Nginx, and became the most secure web server IIS (14%).
Recall that the results of the previous studies were more vulnerable web servers Nginx and Apache.
image
Most web servers vulnerabilities associated with errors of administration, the most common of which is the Information Leakage.
Vulnerability by industry
The maximum concentration of Web applications that contain vulnerabilities high risk was identified in the telecommunications industry - 78%. In the industrial sector, exactly half (50%) resource contains critical security flaws, followed by a small margin the following sites IT- and information security companies (45%). With regard to government organizations, approximately one in three (27%) of a web application in this area contains a high level of vulnerability risk.
image
findings
In general, compared to 2011 average level web application security has become a little higher: in particular, the proportion of sites that contain critical vulnerabilities decreased by 15% to almost 45%. Positive Technologies experts have found only one infected Web application, whereas previously 10% of websites containing malicious code. On the other hand, there are signs of stagnation: did not change the proportion of web applications with high-risk vulnerabilities in the industrial sector and telecom sector sites increase the level of security is very slow.
No comments:
Post a Comment