Most web apps are broken

NINE OUT OF TEN web applications have flaws that could lead to the exposure of sensitive information, an insecurity outfit has warned.

In its report, with the racy title Web Application Security Trends Report Q1-Q2, 2009, Cenzic claims that more than 3,100 vulnerabilities were identified in the first half of the year, 10 per cent more than the number identified in the second half of 2008. It seems that web applications are just getting worse.

Of these, 78 per cent were web application vulnerabilities. Ninety percent of the web application vulnerabilities were in commercial web apps and eight per cent were in the browsers that run them.

PHP, SAP, Sun, Citrix, Apache, F5 Networks, Symantec, and IBM all ran software that was broken by the vulnerabilities.

SQL Injection and Cross Site Scripting vulnerabilities played a role in about half of all web attacks.

Cenzic's report claims that 87 per cent of the analysed web applications "had serious vulnerabilities that could potentially lead to the exposure of sensitive or confidential user information during transactions."

Firefox and Safari were the worst browsers for flaws and Google's Chrome was conspicuously absent. However the Inquirer thinks that's primarily because practically no one uses the Chrome browser yet.

Mozilla Firefox had the largest percentage of flaws at 44 per cent.

"What was surprising was that the Safari browser had a lot more vulnerabilities at 35 per cent this time around mainly due to vulnerabilities reported in Iphone Safari. Internet Explorer was third at 15 per cent and Opera [was fourth] with six per cent of total browser vulnerabilities," the report said.

While Firefox has had a higher number of vulnerabilities than Internet Exploder, Firefox bugs have been fixed quicker. So that should be some consolation. µ