Current Web Security Standards Not Enough, Study Finds

Application security company Cenzic's recent report on Web security trends relayed a damning assessment of the IT security landscape that's prompting some to suggest the government should step in to give enterprises and individuals guidance on how to protect themselves.

One notable finding in Cenzic's "Web Application Security Trends Report," released Wednesday, is that the number of vulnerabilities reported in Q3 and Q4 of 2008 increased by 10 percent from the first half of the year to 2,835. Of those bugs, "a staggering 80 percent" pertain to Web applications, Cenzic said.

The report identifies 10 major vulnerabilities on the Web affecting Microsoft, Mozilla, Adobe and others, as well as the most common "vulnerability types," which include cross-site scripting holes, buffer overflows, orphan accounts, subpar session management and bad application configuration management.

Most of these vulnerabilities should be covered in the management-level mandates under Sarbanes-Oxley, HIPAA and Payment Card Industry (PCI) security standards. But each of these compliance objectives has been criticized in one form or another. PCI, for instance, came under criticism after a security attack last year at Hannaford Bros. and another one in January at Heartland Payment Systems. Both of those organizations were PCI standards-compliant -- and got hit anyway.

Mandeep Khera, chief marketing officer at Cenzic, said in an e-mail that Internet-based application weaknesses represent a virtual "gold mine" for hackers. The big problem, he contended, is the lack of centralized oversight of the national cybersecurity matrix.

"Perceived leniency from regulatory compliance bodies, coupled with lack of awareness about tools to prevent it, have allowed Web application vulnerabilities to become a blind spot for many organizations," Khera said.

Phil Lieberman, president of Los Angeles-based security vendor Lieberman Software, agreed that the current security environment warrants more unifying legislation that would allow individuals and organizations to fight back against those who attack their systems in real-time. 

"In effect, we need the creation of the concepts of self-defense, castle laws, as well as Good Samaritan laws for those that push back criminals and those that attempt to disrupt commerce and communication on the Internet," he said. "These would be laws that cover all civilian users of the Internet. As it now stands, civilians are prohibited from taking any action to stop attackers, and so are ISPs. We are all told to buy better firewalls, anti-virus, anti-malware, intrusion detection devices, and just take the punishment."

Pointing to Cenzic's findings that more than 75 percent of security attacks happen over the Web and over 80 percent of Web sites are severely vulnerable, Khera added, "We as a nation have to question our cybersecurity priorities."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus


  • Death of the Dev Machine?

    Here's a takeaway from this week's Ignite 2020 event: An advanced Azure cloud portends the death of the traditional, high-powered dev machine packed with computing, memory and storage components.

  • COVID-19 Is Ignite 2020's Elephant in the Room: 'Frankly, It Sucks'

    As in all things of our new reality, there was no escaping the drastic changes in routine caused by the COVID-19 pandemic during Microsoft's big Ignite 2020 developer/IT pro conference, this week shifted to an online-only event after drawing tens of thousands of in-person attendees in years past.

  • Visual Studio 2019 v16.8 Preview Update Adds Codespaces

    To coincide with the Microsoft Ignite 2020 IT pro/developer event, the Visual Studio dev team shipped a new update, Visual Studio 2019 v16.8 Preview 3.1, with the main attraction being support for cloud-hosted Codespaces, now in a limited beta.

  • Speed Lines Graphic

    New for Blazor: Azure Static Web Apps Support

    With Blazor taking the .NET web development world by storm, one of the first announcements during Microsoft's Ignite 2020 developer/IT event was its new support in Azure Static Web Apps.

  • Entity Framework Core 5 RC1 Is Feature Complete, Ready for Production

    The first release candidate for Entity Framework 5 -- Microsoft's object-database mapper for .NET -- has shipped with a go live license, ready for production.

Upcoming Events