Life Still Risky on the Wild, Wild Web

A quartet of studies and attention from the group mandated to protect credit and debit cards makes clear that threats from Web application exploits are as dangerous -- or even more dangerous -- than ever.

Webroot reports that 80 percent of malware is distributed via the Web. The firm says that despite the reliance of an increasing number of companies on the Web for mission-critical functions, many have not taken heed of new threats that have accompanied the move to Web 2.0. In short, firms are taking advantage of the new functionality without guarding against new problems. Indeed, only 15 percent of businesses surveyed by the company report having "solid" -- the term is a bit nebulous -- enforcement of policies. Forty-nine percent allow unlimited access to social networking sites and 85 percent rely on desktop defenses that do not scan for malware in inbound Web traffic, the story says.

The second report is from the Web Application Security Consortium (WASC). It found that 97 percent of sites carry at least one vulnerability that is considered severe. WASC looked at data from 32,000 sites using automated and white- and black-box scans. Interestingly, cross-site request forgery (CSRF) was found in only 1.43 percent of the applications, but is still considered the most pervasive problem. The low score was partly due to its difficulty to detect, the Dark Reading story said. The report found that white- and black-box approaches were better at detecting vulnerabilities than automated scanners.

The third report, released earlier this month, is from Palo Alto Networks. It found that HTTP applications utilize 64 percent of enterprise bandwidth, that streaming video consumes significant bandwidth, and that applications are "the major uncontrolled threat vector." Palo Alto says 86 percent of organizations inadvertently hosted a hidden iFrame exploit, 62 percent of organizations hosted media threats, and each organization had adware and spyware infiltration. Palo Alto found almost 200 types of adware and spyware.

Still another report, this one was released in late August, comes from WhiteHat Security. The firm's number was slightly different, but the overall conclusions about the rise of Web vulnerabilities remain constant. The firm found that 82 percent of sites have one or more security issues and that 61 percent have issues of "high," "crucial" or "urgent" importance level. The most significant change to this fifth version of the report is that CSRF has replaced directory indexing in the top 10 vulnerabilities.

The Payment Card Industry Data Security Standard (PCI DSS) is aimed at protecting the personal information of people using payment and credit cards. This year, according SC Magazine, uncertainty developed over the meaning of PCI DSS section 6.6. The section is interned to secure Internet applications. Some in the industry surmised that the requirements could be met by implementing a Web application firewall (WAF), obviating the need to build more security into applications. This isn't so, and the PCI Security Standards Council published a clarification of what is needed. The four steps are manual review of application source code, proper use of source code scanning tools, a manual Web application security vulnerability assessment, and proper use of Web application scanning tools.

There is a tremendous amount of data available from PCI DSS and those who ran the study. The bottom line, however, remains clear and simple: Web applications remain a dangerous threat.