Web applications are the biggest security blindspot out there according to a new analysis of real-world threats.
Compiled over a six-month period by Fortify Software using data from customers of its Application Defense system, the report notes the lack of data on web application issues when compared with established attacks such as "viruses, network-based attacks, public vulnerability announcements, and Spam/Phishing schemes".
At the head of the list of application threats uncovered by Fortify are automated "bots storms", which on average accounted for 50 to 70 percent of the attacks on web applications found by the study. These are able to trawl randomly for known and unknown vulnerabilities without the need for human intervention, hence their growing popularity.
Bots, of course, are a nightmare to stop because they direct attacks from thousands or even millions of PCs located across the globe in multiple domains. The phenomenon of "Google hacking" now accounted for a further 20 percent of attacks, whereby hackers can glean vulnerability data on specific websites by analysing Google’s search results using software tools.
Recorded at lower but still significant levels were even more dangerous forms of attack such as cross-site scripting, SQL injection and standard buffer overflow compromises based on holes in specific applications. "It’s critical that businesses understand the risk exposure of their applications and take the necessary steps to avoid dangerous security attacks," said Fortify’s Brian Chess. "There is a wealth of research covering viruses, network-based attacks, public vulnerability announcements, spam, and phishing schemes, but very little focusing on Web-enabled applications that sit beyond the reach of firewalls and traditional network security."
Some operating systems - the report fingers a variant of Free BSD - aid the anonymity of the Internet, allowing proxying to be conducted without the need for extensive expertise. This means that criminals can hide their activities using proxies and encryption, even when carrying out hacks manually.
This renders some of the country origination data for web application attacks pretty useless. The US comes out in the number one spot in Fortify’s analysis, with China in second place, and Poland in third. But if criminals are using anonymising tools, then this the bulk of attacks could be coming from just about anywhere and everywhere.