Wall Street & Technology: Blog: 7 out of 10 Popular Web Applications are Dangerous

7 out of 10 Popular Web Applications are Dangerous

A new study has found that the Web application security landscape is still fraught with danger – and financial services firms had better watch out.

At least seven out of popular 10 Web applications have vulnerabilities that could potentially lead an unauthorized party to steal critical personal information such as social security numbers or transfer money to their accounts, according to a report by Santa Clara, Calif-based Cenzic .

Common culprits include architectural flaws, design flaws and insecure application configurations. Overall, Cenzic pointed the finger at 1,561 unique vulnerabilities in a host of highly popular applications, ranging from Adobe Acrobat’s Reader to Google Desktop and IBM Websphere.

“The most surprising factor is that the majority of companies are vulnerable. And we’re talking here about the crème de la crème Fortune 2000 companies – so I dread to think what is happening with other smaller companies around the world,” says Mandeep Khera, vice-president of marketing for Cenzic.

“It’s a huge problem for financial services firms. They, together with e-retail firms, are the number one target. Because like Al Capone said, that’s where the money is,” he adds.

The most prevalent vulnerabilities are file inclusion, SQL injection, cross-site scripting and directory traversal, totaling 63 percent. The majority of vulnerabilities affected Web servers, Web applications and Web browsers.

And Cenzic says the bulk of these vulnerabilities are easily exploitable. In other words, hackers don’t have to be pros.

Vulnerabilities were found on Adobe Acrobat Reader, Google Desktop, IBM Websphere, IBM Rational ClearQuest Web 7.0, Lotus Domino’s Active Content Filter, the Sun Java Access Manager, Apache Tomcat and BEA WebLogic, to name but a few.

Khera says the main problem is lack of awareness and education. “Most high-level executives don’t know what application security means,” he points out.

When companies use thousands of applications they often lack the resources to fix problems in every single one, Khera adds.

Then again, what if developers working for software giants made sure their new programs didn’t have any security loopholes in the first place?

Posted by Melanie Rodier at 04:07 PM

This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.