3,800 Vulnerabilities Detected In FAA's Web Apps

ausekilis sends us to DarkReading for the news that auditors have identified thousands of vulnerabilities in the FAA's Web-based air traffic control applications — 763 of them high-risk. Here is the report on the Department of Transportation site (PDF). "And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, 'including critical incidents in which hackers may have taken over control of ATO computers,' the report says. ... While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. ... Auditors were able to hack their way through the Web apps to get to data on the Web application and ATC servers, including the FAA's Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. They also were able to gain entry into an ATC system that monitors power, according to the report. Another vulnerability in the FAA's Traffic Flow Management Infrastructure leaves related applications open to malware injection."

Security expert point of view.

[canipeal]

As a security engineer(CISSP&CSSLP) with several years of experience in C&A and pen testing, I must say that the results aren't a surprise by any means. What I DO find disturbing is the amount of detail provided in a public report given the fact that the FAA has yet to fully apply it's remediation strategies for the vulnerabilities identified. Is there any info as to what tools they used for app testing? My experience shows that tools such as App Detective and Web Inspect actually inflate the number of findings. This is due to the fact that the applications identify vulnerabilities by instance and not by category/type.

Re:Security expert point of view.

[Zapotek]

Funny thing...
I was developing a web app security assessment platform like Metasploit but for web apps...so I had to get a peak at the competition.
So like a good boy I set up a logger on my website and asked a big security firm to demo their own automated web assessment tool on my website.
I received a report of some hundreds of vulnerabilities. Needles to say not one of them was correct. So I e-mailed them back and told them and got a response with an apology.
If they used an automated tool like that it's very probable most of the vulns were false positives.
Oh and by the way, many of these tools detect e-mail addresses or contact info posted on the site as a possible vulnerabilities because they provide "sensitive information".

My point being...don't fully trust the report. Sure they must have some serious security risks on their website but 3.800 seems extravagant.

PS. Sorry to the guy above me with the

I want a link to the page where I can control a plane!!

for removing my mod +1 funny to his comment. I just had to post this reply. hehe

Programming

[icepick72]

Who builds the FAA web apps?

I love these hard-hitting reports

[e9th]

FTFR:

35 Internet-based or public use web applications were tested. On those web based applications 212 high risk, 169 medium risk, and 1,037 low risk vulnerabilities were found.

What apps? What vulns?
Surely they've all been fixed/replaced by now (if not, why not?), so why not let the rest of us know what was discovered?