Network Security Vulnerabilities Declining as Application Vulnerabilities Soar

From: Orthus Ltd.
Published: Tue Jul 22 2008

Orthus Limited today published an analysis of 100 in depth security tests conducted over the last five years, providing an insight into how both security weaknesses and attack vectors have evolved – and how organisation’s defences have changed in response.

The analysis looked at the results from 100 baseline security testing engagements delivered since the beginning of 2004. Tests for the study were selected on the basis that both the network and application layers were included in the scope. All tests included a complex web application and were delivered across a range of industry sectors including banking, insurance, finance, retail, manufacturing, transport, utilities, health and education.

Overall just under 2,000 individual vulnerabilities included in the test findings were analysed.

Key results from the research showed:

* 100% of tests found at least one security vulnerability at the network level.
* 97% of tests found at least one vulnerability at the application level.
* Network layer weaknesses have come down from an average of 14 per test in 2004 to an average of 6 in tests delivered during 2008 (a reduction of 57%).
* Conversely application layer weaknesses have increased from 8 per test in 2004 to 12 per test in 2008 (a 50% increase).

The analysis highlights an improvement in the way organisations are hardening and configuring network devices and servers prior to use in production environments. Five years ago simple security hardening such as removing unneeded services and limiting open ports was not being carried out.

Today it is clear that the need for strong build standards is not only recognised but that they are actually being implemented. Some vulnerabilities are inevitably still present. More than half of these are attributable to weak operational security processes, in particular inadequate patch management programs.

Findings relating to security of the application layer in contrast show a concerning increase. Application layer weaknesses are more prevalent than ever. The only category showing an improvement is web server configuration weaknesses. All others are up:

* SQL injection and other SQL weaknesses increased 25%.
* Cross-site scripting increased by 23%.
* Input validation issues increased 15%.
* SSL related issues went up by 7%.
* Authentication related issues (including username and password enumeration) increased by 9%.
* Information leakage (in error messages) increased 5%.

Richard Hollis, Managing Director of Orthus said "Security teams are getting better at eradicating network and operating system related issues but the application layer is less well addressed. Companies need to adopt secure coding guidelines as part of a comprehensive Secure Software Development Lifecycle. It can be done. The 3% of applications that were extremely well-written and configured when tested are proof of that."

Richard went on to say "Organisations that outsource web application development in particular should provide security standards to their partners and insist on periodic independent code reviews as well as application testing of every major release. Issues fixed in one release have a habit of reappearing in the next".

Building a Secure Software Development Lifecycle comprising a threat and risk assessment early in the project (and again before releasing the application) alongside secure coding guidelines and training for development teams, coupled with regular testing, has significant benefits. Security ‘designed in’ ensures issues are captured and addressed before applications go live at a time when they are significantly cheaper to fix.

Ultimately, as attackers increasingly target the application layer with the objective of extracting marketable information from backend databases, focusing on application security ensures customer and other sensitive data is protected and the risk of loss is minimised.

The analysis clearly shows companies need to concentrate more efforts in this area and move what’s been learnt at the network layer up the stack.

About Orthus Limited
Orthus is a leading provider of innovative and independent information security services and solutions. Since its foundation in 2001 Orthus has grown to become one of the leading UK-based providers of security services assisting enterprises in protecting their digital information assets globally.

For more information please contact Orthus, 31 Southampton Row, London WC1B 5HJ. Tel: +44 (0)203 170 8955 or email
Company: Orthus Ltd.
Contact Name: Orthus
Contact Email:
Contact Phone: +44 (0)203 170 8955

Visit website »