Jul 31, 2007 (05:07 AM EDT)
Report: Rise in Web App Vulnerabilities
Read the Original Article at InformationWeek
SANTA CLARA, Calif. -- Cenzic Inc., the innovative leader of application vulnerability assessment and risk management solutions, today released its Application Security Trends Report - Q2 2007, proving once again that organizations are failing to optimize their Web application security methods. While this report highlights the Top 10 vulnerabilities from published reports in Q2 2007, Cenzic estimates there are thousands of vulnerabilities that remain unpublished due to the lack of reports and the vast amounts of home grown applications. It is estimated that there are more than 100 million Web applications that facilitate transactions and collection information, yet less than five percent of applications are tested for vulnerabilities. The report provides a thorough analysis of reported vulnerabilities, Web application probes, attack statistics and key findings.
"We are at a critical stage when it comes to securing Web applications. With less than one percent of applications tested, millions of applications are vulnerable and ripe for hackers," said Mandeep Khera, VP of marketing for Cenzic. "Even the organizations that do test are still focused on testing only the applications in the development or Quality Assurance stage. With 99 percent of the applications in the production stage at any given point, these corporations are extremely exposed and vulnerable. They will get hacked. It's not a question of if but when."
"Our analysis for Q2 illustrates a very high percentage of published vulnerabilities in Web technologies, similar to the Q1 findings. This is a clear indication that network security is maturing, while application security is in its early stages," said Tom Stracener, senior security analyst at Cenzic. "While our analysis shows top vulnerabilities in Java, Apache, Apple and PHP applications, these reflect only the published vulnerabilities. There still remain thousands of vulnerabilities that are not published or reported."