Home » News » SPI Dynamics' SPI Labs Release ...

News by JavaScriptSearch


SPI Dynamics' SPI Labs Releases Top 2007 Web Application Security Threats

 

JavaScriptSearch
Thursday, December 7, 2006; 05:41 AM

S.P.I. Dynamics, Inc. (www.spidynamics.com), a leading provider of Web application security testing software and services, today released research from its SPI Labs division predicting the top Web application security threats for 2007. The research found that software developers who embrace Rapid Application Development (RAD) to bring solutions to market faster will only add to the growing number of application security defects hackers can target unless security is embedded in key phases of the application development lifecycle. In addition, hackers will likely escalate the use of file format attacks and bridge hacking to stealthily seize confidential data.

"Not surprisingly, the 2006 SANS Top 20 list revealed that Web application vulnerabilities are increasingly being exploited and we can expect to see Web application threats rise and become more critical in 2007," said Caleb Sima, CTO and co-founder of SPI Dynamics. "As the security landscape continues to evolve and hackers improve their techniques, CSOs and development organizations need to look beyond their firewalls and anti-virus solutions to identify and fix the most inevitable targets for identity theft and phishing attacks -- the vulnerabilities found in their Web applications. While the concept of securing applications during the development phase through input validation is one that has been around for over thirty years, it is still the most ignored, common sense solution to preventing these threats."

In no particular order, the most prevalent security trends identified by SPI Labs for 2007 include:

    * RAD becomes BAD - An increasingly popular trend, RAD focuses on the
      increased speed of application development. While increased quality is
      also a goal of RAD, in reality, quality is often sacrificed in order to
      meet deadlines. This includes proper security testing during the design
      and development phase which is often ignored and this unfortunate
      oversight can and will lead to additional security vulnerabilities and
      attack vectors if organizations do not implement security throughout key
      phases of the application development lifecycle.

    * File Format Vulnerabilities: Yet Another Avenue for Phishing Attacks -
      These vulnerabilities don't lie in the actual file, the vulnerability is
      present in the application that interprets the file. As a result, a
      single malicious file can exploit multiple applications leveraging the
      same faulty libraries. File formats are a key vector for spear phishing
      attacks and there are many popular targets for these types of attacks,
      such as graphical programs, word processors, media players, Web browsers
      and spreadsheet applications. Due to the complexity of many file
      formats, these vulnerabilities are on the rise. This is underscored by
      the fact that during 2006, Microsoft issued two out-of-cycle patches for
      file format vulnerabilities and over the past two years, approximately a
      quarter of its patches released were directly related to this class of
      vulnerabilities.

    * Hacking Along Bridges - Why wouldn't Hackers Take the Easiest Route?  -
      This new trend involves a link or "bridge" between two sites where one
      is able to send search requests to another much larger site, such as
      Amazon or Maps.com. Because the bridge doesn't have its own security
      measures, it creates an easy avenue for hackers to attack the larger,
      more desirable site. By hacking along bridges, attackers essentially
      piggyback on the trust between the two sites, gain an extra layer to
      hide behind and are able to attack the desired site quickly. As bridges
      continue to grow in popularity, hackers will increasingly exploit these
      vulnerabilities.

    * Insecure Embedded Web Applications: Don't Forget Those Printers! - All
      hardware including printers and routers run Web application servers
      which are properly updated as they are not commonly seen as vectors for
      security attacks. Moreover, these devices generally represent trusted
      systems within your network, which make them targets for attacks on
      other systems. For example, a vulnerable switch could be configured to
      re-route traffic to the attacker. Without patches and updates, these
      hardware based Web applications will always remain vulnerable and
      present a significant insider threat.

    * Web 2.0: A Hacker's Dream - As more dynamic and interactive Web 2.0
      applications explode in 2007, we will continue to see an increase in
      vulnerabilities brought forth by the new attack vectors Web 2.0 offers
      hackers. While Web 2.0 promises to make Web applications such as AJAX,
      SOAP and RSS more usable and connect us in ways that we've never
      imagined, we must not make the mistake of ignoring security while
      increasing the complexity of Web applications.

    * Client Side Attacks Come of Age - Historically, we have considered
      server side vulnerabilities to exceed their client side counterparts in
      terms of vulnerability severity. That logic is being turned on its head
      with the advent of phishing attacks and identity theft, which have
      exploded in recent years. Client side vulnerabilities such as those
      found in Web browsers have become the facilitators which make these
      attacks possible.

    * Web Application Worms - Attackers are leveraging vulnerabilities in
      popular Web applications to spread malicious code among the users of
      those sites. Web-based worms have proven to be a highly successful means
      of conducting blanket phishing attacks against the millions of
      unsuspecting users that frequent such sites who can become victims
      simply by visiting an infected Web page. The vulnerabilities arise due
      to relaxed rules on client provided script, an increasingly popular
      trend as it allows users to produce dynamic personalized content. Yahoo!
      and MySpace have fallen victim to such attacks and others are expected
      to emerge in the coming year.

"While SQL injection and Cross-Site Scripting attacks will continue to drive incidents of phishing and identity theft, security managers need to be aware of the next generation of threats and begin taking measures to protect against them," said Michael Sutton, Security Evangelist for SPI Dynamics. "It is crucial that security is embedded into every phase of the software development lifecycle so that potential security defects are corrected at the source as this is the best defense against these threats."

For more educational information on cutting-edge Web application security research from the experts in SPI Labs including trend articles, white papers, Webcasts, podcasts and presentations, please visit http://www.spidynamics.com/spilabs/index.html.

About S.P.I. Dynamics, Inc.
SPI Dynamics delivers a comprehensive suite of products and services (http://www.spidynamics.com/products/index.html) that help to identify and remediate Web application and Web services security vulnerabilities found at key stages throughout the Web Application Lifecycle. SPI Dynamics solutions enable security professionals, QA testers, and developers to work together to assess, analyze, and remediate Web applications and Web services for security vulnerabilities, and verify compliance with over 20 security policies like SOX, HIPAA and PCI. The Company's unique approach, utilizing patent-pending Intelligent Engines(TM) technology combined with the largest Web application security vulnerability knowledgebase in the industry, delivers unparalleled speed and accuracy. SPI Dynamics' research and development team, SPI Labs, is widely recognized as one of the world's leading authorities on Web application security and risk management. The Company has over 850 customers among Global 2000 enterprises, including over 90 U.S. Federal accounts, and has strategic partnerships with Microsoft, IBM, Mercury, CSC and Visa, with Visa investing in the Company in 2005. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. For more information on Web application security, visit www.spidynamics.com

Advertisement

Partners

Related Resources

Other Resources

arrow