Every second web application contains between one and ten holes
The 2008 Annual Web Application Security Report recently released by UK security services provider NTA Monitor paints an alarming picture of bug-ridden applications throughout 2007, albeit with some improvement over 2006. According to the company, the results are based on application tests performed it throughout the year in question "for clients on either live systems as part of a regular testing programme or for clients who were about to or had just launched a new application".
Forty nine per cent of all tested applictions contained between one and ten vulnerabilties. Across all industry sectors, an average of 13 vulnerabilities per application at all levels of criticality was found, two per cent being classified as "high" risk, which implies a well known hole with external exploitability. Seventeen per cent of all applications tested contained at least one critical flaw, compared with 34 per cent in 2006. However, some industry sectors fared much worse than others. Services was the worst hit, with an average of 20 vulnerabilities per application, of which one was classified as "high" risk and four as "medium" – exploitable remotely to disrupt service, locally to gain unauthorized access, or possibly remotely "if incorrectly configured". Publishing came overall second, with seven "medium" holes per application but no "high" risks. Surprisingly government fared quite well, with no "high" risks and only three "medium" risks per application on average. The really worrying finding, though, was that banking and legal applications averaged one "high" risk hole per application.
The company confirmed to heise online that these were blind tests – the applications were submitted without prior suspicion of vulnerabilities being present. Although the sample size has not been disclosed for confidentiality reasons, the results are therefore likely to be reasonably representative of the security of web applications in general.
- Request the NTA Monitor Annual Web Application Security Report 2008 by email