Application security in a "grim state"

Discussion in 'other security issues & news' started by Paul Wilders, Feb 20, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Application security is "in a grim state", according to new research. Almost half of application security vulnerabilities are readily exploitable through entirely preventable defects.
    The typical ebusiness application is at serious risk of compromise because of security flaws introduced early in the design cycle, but these risks could easily be reduced by as much as 80 per cent, according to security firm @stake.

    While analysing 45 popular ebusiness applications, @stake found a "grim" level of security and noted that not all applications are created equal.

    The research found that "the best designed applications have one quarter as many security defects as the worst. As a result, these applications carry 80 per cent less business-adjusted risk than the least secure."

    When contrasting the performers with regards to security, the six areas that differentiated the top performers from the bottom ones are: early design focus on user authentication and authorisation; mistrust of user input; end-to-end session encryption; safe data handling; elimination of administrator backdoors and default settings; and security quality assurance.

    Dan Geer, @stake's chief technical officer, said: "Our research shows that the primary difference between the top and bottom performers is due to superior practices in designing, coding and deploying secure applications."

    The company discovered that 47 per cent of applications suffer from readily exploitable security flaws that fall into nine common classes.

    These are weaknesses in administrative interfaces; authentication/access control; configuration management; cryptographic algorithms; information gathering; input validation; parameter manipulation; sensitive data handling; and session management.

    The most common application security mistake is a lack of adequate authentication and access control.

    According to the firm, user session security remains the Achilles heel of most ebusiness applications because user input is trusted implicitly or relies on client-side validation, rather than having the server itself check for inappropriate data.

    "Many companies treat security as 'penetrate and patch' rather than employing secure software engineering practices that would have produced a safer application from the start," said Andrew Jaquith, program director at @stake.




  2. Zhen-Xjell

    Zhen-Xjell Security Expert

    Feb 8, 2002
    A similar article was posted a couple months back.  Question is.. how and when are things going to change?  Are they going to change?
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.