Web apps and services prove high risk - Symantec

 

Gallery

By Matt Whipp

Posted on 26 Sep 2006 at 14:37

Symantec has warned that the wave of enthusiasm for web applications such as blogs and other services will be shared equally among innocent users and virus writers.

In its biannual report, security firm Symantec says it recorded the highest number of vulnerabilities ever for the first half of 2006 - a fifth higher than the first half of 2005. And of those 2,249 new vulnerabilities documented, some 69 per cent affected Web applications.

It defines Web applications as 'technologies that rely on a Web browser for their user interface, rely on HTTP as the transport protocol, and reside on Web servers'.

Certainly web applications pave the way for technology developments, from Web 2.0 to SOA (service-oriented architectures), yet their very nature makes them vulnerable.

The report worries about the 'relative ease of discovering vulnerabilities in Web applications compared to other platforms'. Source code is easily obtained, they are frequently updated, and because there are few restrictions to distinguish valid input from invalid, web applications are 'susceptible to common types of input validation vulnerabilities, such as cross-site scripting and SQL injection'.

The technologies underpinning Web applications and Web services also give Symantec cause for concern. AJAX, which is short for asynchronous JavaScript and XML, allows Web applications to seamlessly connect to and interact with each other and offer a desktop like experience for an online service.

'Symantec is concerned that in the rush to develop Web services, the underlying Web applications that use them are not receiving the same level of security auditing as traditional client-based applications and services.

'As Web applications continue to gain in popularity, Symantec expects to see an increase in the number of attacks taking advantage of the interconnected, interactive nature of AJAX to increase the number of potential targets.'

Also of concern is the time taken between a vulnerability being found and code becoming available to exploit that flaw compared with a patch issued by the vendor.

For high profile applications such as browsers, vendor response is pretty good. For the first half of 2006, Microsoft crushed its average response time from 25 days for the 2005 period to just nine days. Opera too is noteworthy, reducing this window of exposure from 18 to two days. Mozilla was in the fortunate position of having already patched flaws before exploits were written for them, and for this year boasts on average just one day between patch and exploit. Apple's Safari rose from zero to five days over the same period.

But with SOA billed as the next big thing for businesses they will be more exposed to web application exploits, so enterprise software vendors will need to drastically raise their game in this respect. The window of exposure at the enterprise level is far greater, averaging 28 days.

It's a big improvement over the 60 day for the first half of 2005, and the credit must go to the vendors themselves, now averaging 31 days to write a patch. Even so, the attackers are average three days to write an exploit.

The leaders in this field are Microsoft and Red Hat, taking just 13 days to patch an exploit. But at the other end of the scale, Sun had the longest patch release time with 89 days, followed by HP with 53 days.