Security services provider Orthus conducted the baseline security tests beginning 2004 in terms of both network and application layers. The tests were carried out in industry sectors such as banking, insurance, finance, retail, manufacturing, transport, utilities, health and education.
The study revealed nearly 2,000 vulnerabilities. At least one security vulnerability was found at the network level in all tests and in 97 percent of the tests, at least one vulnerability was found at the application level.
Network layer weaknesses, however, had dropped from an average of 14 per test in 2004 to an average of six per test during tests carried out in 2008, representing a drop of 57 percent. This contrasted with the rise in application level weaknesses from eight per test in 2004 to 12 per test in 2008 – a rise of 50 percent.
Other worrying findings include a 25 percent increase in SQL injection vulnerabilities and other weaknesses; and cross-site scripting vulnerabilities climbed by 23 percent.
Richard Hollis, managing director of Orthus, said: “Security teams are getting better at eradicating network and operating system related issues, but the application layer is less well addressed. Companies need to adopt secure coding guidelines as part of a comprehensive secure software development lifecycle. It can be done. The three percent of applications that were extremely well-written and configured when tested are proof of that.”
He recommended that organizations that outsource web application development should provide security standards to partners and insist on periodic independent code reviews, as well as application testing of all major releases. Issues fixed in one release “have a habit of reappearing in the next,” he warned.
System application layers are increasingly targeted so that black-marketable information can be extracted from a backend database.