Click here to receive your FREE subscription to Campus Technology
Article
Study: The Year's Top-10 Web Application Vulnerabilities
3/4/2008
Extra Credit The phrase "Web 2.0" has very little real meaning, as it refers more to Web application concepts than any specific technologies. Nevertheless, tools that are generally considered Web 2.0 have come under fire from several directions for the security vulnerabilities they represent. More Information: Web 2.0 Threats Loom Large for IT Campus Technology's Security Page Application Security Trend Report for Q4 2007 (PDF) --D. Nagel |
Web applications, by far, dominate the list of application security vulnerabilities facing IT organizations. While 29 percent of vulnerabilities are attributable to network and infrastructure weaknesses, a full 71 percent are attributable to both open source and commercial Web applications, according to a report released recently by security firm Cenzic Inc., "Application Security Trend Report for Q4 2007."
On the whole, according to the report, Web application vulnerabilities increased 3 percent in the fourth quarter of 2007 compared with the third quarter. And actual attacks and probes increased from 1.3 million in October 2007 to 1.7 million in December 2007.
The highest percentage of incidents came in the form of probes, attempted access, and scans, accounting for 59 percent of incidents in the fourth quarter. Others included investigation (16 percent), "improper usage" (10.3 percent), unauthorized access (7.6 percent), malicious code (6.9 percent), and denial of service (0.2 percent).
Web 2.0 Issues
In addition to general Web application vulnerabilities, the report highlights several vulnerabilities in technologies used in the development of Web 2.0 applications, adding to a growing list of reports targeting Web 2.0. (See sidebar for more.) These technologies and protocols, spotlighted in the report, include:
- AJAX (Asynchronous Javascript and XML)
- XML (eXtensible markup language)
- SOAP (Service Oriented Architecture Protocol or Simple Object Access Protocol)
- REST (Representational State Transfer)
- Javascript and Java
- Adobe Flash and Flex
- Active X controls
- Microsoft Silverlight
- RSS, RDF, and Atom
For the second half of 2007, these technologies combined represented some 178 identifiable vulnerabilities, with Active X by far the largest culprit at 111 individual vulnerabilities. (Flash came in second with 23, RSS in third with 14, and AJAX in fourth with 10.)
Recommended Reading
- Moodle Gets SCORM Improvements, Security Fixes
New versions of Moodle have been released, bringing the most recent stable build to 1.9.3. The latest round of updates includes a number of bug fixes and security enhancements, as well as improvements to the SCORM module.
- Free 'Morro' Antivirus To Replace Microsoft OneCare
Microsoft is rolling out a free antivirus software program for consumers that will compete with products made by Symantec and McAfee. Code-named "Morro," the AV app is expected to be available by the end of 2009.
- Microsoft Demos New SQL Server Features at PASS
Microsoft Wednesday previewed the ability to centrally manage applications and resources in the planned upgrade of SQL Server, code-named "Kilimanjaro."
- Microsoft Unveils Exchange and SharePoint as Services
Microsoft exec Stephen Elop on Monday announced two hosted solutions from Microsoft--Exchange Online and SharePoint Online--which are now available to organizations of all sizes in the United States. The software, paid for by annual subscriptions, is hosted on Microsoft's servers and supported by Microsoft's channel partners.
- 6 Ways Not To Become Rote Using Instructional Technology
There are, in my experience, six strategies to consider with any use of technology that will guard against rote use of technology and facilitate critical analysis of teaching and learning effectiveness. In this article, I'll share with you the checklist I work with and encourage others to work with in learning about and using new technology.
- Bringing Student Web "Stuff" to Campus Enterprise Systems
How can an institution incorporate Web 2.0 learning opportunities for students, and evidence of learning from those opportunities, into existing campus technologies and processes? PlugJam is providing part of the answer.
