Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Shows Many Sites Still Failing Basic Security Measures

Posted by Unknown on from the remember-stack-smashing dept.

Orome1 writes with a summary of a large survey of web applications by Veracode. From the article: "Considered 'low hanging fruit' because of their prevalence in software applications, XSS and SQL Injection are two of the most frequently exploited vulnerabilities, often providing a gateway to customer data and intellectual property. When applying the new analysis criteria, Veracode reports eight out of 10 applications fail to meet acceptable levels of security, marking a significant decline from past reports. Specifically for web applications, the report showed a high concentration of XSS and SQL Injection vulnerabilities, with XSS present in 68 percent of all web applications and SQL Injection present in 32 percent of all web applications."

4 of 103 comments (clear)

  1. Citicorp Hack by Anonymous Coward · · Score: 5, Interesting

    Then there is the Citicorp hack, where they dont even bother hashing the account numbers in the URL...

  2. Re:200 by slazzy · · Score: 5, Interesting

    One of the sites at a company I worked for provides fake data back when people attempt sql injection, sort of a honeypot to keep hackers interested long enough to track them down.

    --
    Website Just Down For Me? Find out
  3. It's the Same Everywhere by derrickh · · Score: 5, Interesting

    You have to realize that somewhere on the net there's a surveillance camera forum with guys saying 'businesses are too cheap to invest in multiple cam setups to cover exploitable deadzones'... and there's a locksmith forum with guys saying 'These companies are still relying on double bolt slide locks, when everyone knows they can be bypassed with a simple Krasner tool!'...and there's a car autosecurity forum wondering why companies still use basic Lo-jack instead of the new XYZ system.. and don't forget the personnel consulting forum where everyone complains that companies don't invest enough in training to recognize grifting attempts on employees.

    It's a never ending list and to expect everyone to be on top of all of them at all times is n't realistic.

    D

    --
    The first, last, and only tech news site on the net
  4. Yeah but in htis case they're probably right... by ray-auch · · Score: 5, Interesting

    Where I work, every time we get told to put our details into some new provider system for expenses, business travel or whatever (happens regularly with corporate changes) we see who can hack it first. We're developers, it's our personal data, why wouldn't we check ?

    The fraction that are hacked in minutes is probably near 50%, and 32% for SQL injection is probably about right.

    I'm not sure which is more depressing - the state of the sites or that even though we have a "security" consultancy practice in house, we get corporate edicts to put our data into sites that we haven't even bothered to audit to the extent of sticking a single quote in a couple of form fields or changing the userid in the url...