Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Shows Many Sites Still Failing Basic Security Measures

Posted by Unknown on from the remember-stack-smashing dept.

Orome1 writes with a summary of a large survey of web applications by Veracode. From the article: "Considered 'low hanging fruit' because of their prevalence in software applications, XSS and SQL Injection are two of the most frequently exploited vulnerabilities, often providing a gateway to customer data and intellectual property. When applying the new analysis criteria, Veracode reports eight out of 10 applications fail to meet acceptable levels of security, marking a significant decline from past reports. Specifically for web applications, the report showed a high concentration of XSS and SQL Injection vulnerabilities, with XSS present in 68 percent of all web applications and SQL Injection present in 32 percent of all web applications."

7 of 103 comments (clear)

  1. 200 by badran · · Score: 5, Insightful

    I wonder how they test. Some sites that I manage return the user to the homepage on a hack attempt or unrecoverable error resulting in a 200 return. Would they consider such a system as hacked, since they got a 200 OK return, or not.

  2. what do you expect? by Nyder · · Score: 3, Insightful

    This is capitalism/corporations. It's all about profit, and spending extra on IT cuts into the bottom line.

    Economy is bad, so companies make cuts. Personnel, IT, Security, and everything but the CEO's bonuses get cut.

    --
    Be seeing you...
    1. Re:what do you expect? by Anonymous Coward · · Score: 2, Insightful

      If I gave you enough time to do development right, the competition would beat us to market, drive us out of business, and you would be out of a job.

      Don't think it is any different working for one of our competitors, they will overwork you just as hard for fear of US beating THEM to the market.

      The market has shown a surprisingly high tolerance for bugs and security gaps, so we simply can't afford to proactively fix those.

      And if you don't like my high bonus....go start your own company. After realizing just how hard and risky it all is, you will feel like you deserve a nice fat bonus too.

    2. Re:what do you expect? by Ramley · · Score: 3, Insightful

      I am sure your point is a part of the problem, but in my (many years) of experience, this has a lot more to do with a myriad of factors, none of which really outweigh the other by much.

      I am an independent developer who works on projects with security in mind from the ground up. Time/budget be damned, as it's my reputation on the line. If they can't pay for what it is worth, I tell them to find another developer.

      They tend to learn the hard way — it was a better option to stick with a security minded developer in the first place. 85% of them return as customers.

      The problem seems to be that most of the developers I have worked with, be it corporate employees, or indy's like myself, are one of two things, in general: (very general)

      1. Lacking knowledge of how to deal with the most common security threats.
      2. Lazy, and don't care enough to implement safeguards, etc.

      Most of the other excuses boil down to one of the above.

      That's my experience out there in the field, working with lots and lots of diverse companies. Of course profit and time to complete enter the picture, but over time, this can be overcome with a lot of experience and a lot of [code] libraries which can be easily implemented, no time lost.

  3. Uh huh by TheSpoom · · Score: 5, Insightful

    Security auditing company produces report that conveniently shows that their services are desperately needed. News at eleven.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  4. Re:Nothing new here by delinear · · Score: 5, Insightful

    The problem is that the media seem to be in the pocket of big corporations, so when Anonymous inevitably find one of these exploits and steal a bunch of data, the media never seem to hold the businesses who left the door open to account. The lack of security should be a massive topic of debate right now, but instead, outside of certain circles, it's a complete non-issue. During the coverage over here of the various exploits of Anonymous, I don't think I once heard any searching questions asked of the global corporations who allowed a bunch of teenagers to make their security look like the equivalent of a balsa wood door on Fort Knox (and that includes the BBC, who should be the least biased since they're not privately owned, but still either don't want to offend the PR departments of companies who feed them half of their content or just believe the company line and don't bother digging deeper for the real stories).

  5. Re:Citicorp Hack by tomhudson · · Score: 3, Insightful

    The *real* Citicorp hack was getting bailed out with $308 billion in loan guarantees, and NOBODY going to jail.