Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Security testing analysis results published

Orthus : 23 July, 2008  (Technical Article)
Analysis reveals the evolution of security testing in a range of industries including education, healthcare and banking
Orthus has published an analysis of 100 in depth security tests conducted over the last five years, providing an insight into how both security weaknesses and attack vectors have evolved - and how organisation's defences have changed in response.

The analysis looked at the results from 100 baseline security testing engagements delivered since the beginning of 2004. Tests for the study were selected on the basis that both the network and application layers were included in the scope. All tests included a complex web application and were delivered across a range of industry sectors including banking, insurance, finance, retail, manufacturing, transport, utilities, health and education.

Overall just under 2,000 individual vulnerabilities included in the test findings were analysed.

Key results from the research showed:.

* 100% of tests found at least one security vulnerability at the network level.
* 97% of tests found at least one vulnerability at the application level.
* Network layer weaknesses have come down from an average of 14 per test in 2004 to an average of 6 in tests delivered during 2008 (a reduction of 57%).
* Conversely application layer weaknesses have increased from 8 per test in 2004 to 12 per test in 2008 (a 50% increase).

The analysis highlights an improvement in the way organisations are hardening and configuring network devices and servers prior to use in production environments. Five years ago simple security hardening such as removing unneeded services and limiting open ports was not being carried out.

Today it is clear that the need for strong build standards is not only recognised but that they are actually being implemented. Some vulnerabilities are inevitably still present. More than half of these are attributable to weak operational security processes, in particular inadequate patch management programs.

Findings relating to security of the application layer in contrast show a concerning increase. Application layer weaknesses are more prevalent than ever. The only category showing an improvement is web server configuration weaknesses. All others are up:.

* SQL injection and other SQL weaknesses increased 25%.
* Cross-site scripting increased by 23%.
* Input validation issues increased 15%.
* SSL related issues went up by 7%.
* Authentication related issues (including username and password enumeration) increased by 9%.
* Information leakage (in error messages) increased 5%.

Richard Hollis, Managing Director of Orthus said "Security teams are getting better at eradicating network and operating system related issues but the application layer is less well addressed. Companies need to adopt secure coding guidelines as part of a comprehensive Secure Software Development Lifecycle. It can be done. The 3% of applications that were extremely well-written and configured when tested are proof of that."

Richard went on to say "Organisations that outsource web application development in particular should provide security standards to their partners and insist on periodic independent code reviews as well as application testing of every major release. Issues fixed in one release have a habit of reappearing in the next".

Building a Secure Software Development Lifecycle comprising a threat and risk assessment early in the project (and again before releasing the application) alongside secure coding guidelines and training for development teams, coupled with regular testing, has significant benefits. Security 'designed in' ensures issues are captured and addressed before applications go live at a time when they are significantly cheaper to fix.

Ultimately, as attackers increasingly target the application layer with the objective of extracting marketable information from backend databases, focusing on application security ensures customer and other sensitive data is protected and the risk of loss is minimised.

The analysis clearly shows companies need to concentrate more efforts in this area and move what's been learnt at the network layer up the stack.


Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo