Slashdot Mirror
Serious Web Vulnerabilities Dropped In 2011
wiredmikey writes "It's refreshing to see a security report from a security vendor that isn't all doom-and-gloom and loaded with FUD. Web Application Security firm WhiteHat Security released a report this week (PDF) showing that the number of major vulnerabilities has fallen dramatically. Based on the raw data gathered from scans of over 7,000 sites, there were only 79 substantial vulnerabilities discovered on average in 2011. To compare, there were 230 vulnerabilities on average discovered in 2010, 480 in 2009, 795 in 2008, and 1,111 in 2007. As for the types of flaws discovered, Cross-Site Scripting (XSS) remained the number one problem, followed by Information Leakage, Content Spoofing, Insufficient Authorization, and Cross-Site Request Forgery (CSRF) flaws. SQL Injection, an oft-mentioned attack vector online – was eighth on the top ten."
"It's refreshing to see a security report from a security vendor that isn't all doom-and-gloom and loaded with FUD."
They're doing it wrong. Don't assume that if you can't see it, it isn't there.
#fuckbeta #iamslashdot #dicemustdie
Well, he could have mentioned the interesting fact that the linked SecurityWeek article claims "As for the industry comparison, baking finished on top with an average of 17 vulnerabilities, while retail remained on the bottom with 121."
Always knew you could trust a baker...
Bankers were probably lumped in with retail and the other bottom-feeders.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Unfortunately, 'Mark Zuckerberg', 'The Nation State', and 'Google' remain on the list of outstanding serious web vulnerabilities, leading some to wonder whether it would be necessary to introduce a system weighting the seriousness of vulnerabilities as well as merely enumerating them...
OMG, what next? A calf with two heads? We're doomed!.
Oh, the beautiful gloss of greality!
As I see no technical reason for web-applications to be less vulnerable, my guess is that black-hats that find vulnerabilities are just more careful with them in order to be able to exploit them longer.
The other reason I see is that the metric is wrong. It may just be that the vulnerability-types have changed and the metric used but this report has not kept up.
Anyways, no reason to celebrate. Practical IT security is still in a very sad state and I do not see this changing anytime soon. By now I believe that the currently active developer generations have to retire and be replaced by ones with security-awareness. As this "new" generation is still not being educated, the problem will be with us at least for several decades.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Indeed. And fixing it can take up to 45 years...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It seems the crackers are now using dirty sites and SEO to attack ignorant users to them instead of targettng legit sites and injecting them with malware for drive byes like before.
Anyone else notice when searching for something techical in Google you will see comments which are identical in like 5 sites where 4 are just copied from the 5th? Some do not even have domain names as AV software can detect and block these. The comments are copied to make the site hit SEO numbers and have tons of ads that play videos wether you click on them or not so they can steal some money and some even inject malware.
It is frustrating as I have to click around 2 or 3 sites to get the legitimate article I am looking for or comments that deal with an article I want to read etc.
Just a difference in tactics.
http://saveie6.com/
A calf with two heads? Do you have any idea how awesome that brand of head cheese would be? They could probably charge double per lb.
This issue is a bit more complicated than you think.
Seems like this last year or so there have been a far larger number of companies reporting their data being compromised than in past years.
In any case, I'd say between lulsec and anonymous, the hunt and the arrests of these asshats might just be causing them to lay low for a while.
Users are just that, "Users". They are not pedantic wannabe security gurus who think they actually know what they are doing. They just want to run their applications. Most users have better things to do with their time than sitting around nitpicking obscure security issues, most of which can only be duplicated in a controlled lab environment using specifically defined steps. Those who talk about nothing but OS security vulnerabilities never seem to realize the purpose of an OS is for running applications. Some of the best software engineers and developers in the world working for MS, Apple, Google, IBM, or independent OS vendors have still been unable to provide perfect security. The sheer number of permutations of hardware, applications, and multi-OS versions and functionality is mind staggering. Add in your average web developer, poor system administrators, and other types of application developers guarantee perfect security will never exist. Sloppy system admins are also responsible for opening security holes through their half ass configuration and server management procedures. If you really want a secure system unplug your Internet connection, and disable your external media. On the corporate side invest your time on hardened firewalls and persistent system monitoring . Security and productivity require responsible trade offs. If you want 100% exploit free OS and applications you would most likely be looking at a 10+ year development cycle before any new features and applications get released. Even antivirus solutions or source code analytic tools only look for specific signatures to identify problems but they can only provide that type of protection after the exploit has already been discovered after the OS and applications has been released for use. Engineering malware using well know applications instead of creating one-off components makes it harder to ID rouge applications and exploits because they are basically hiding in plain site. And you are also very wrong about the documentation MS provides about creating secure applications. Both developers and users can access this information freely anytime they want.
I think the vulnerabilities are dropping because the three most commonly-used browsers, Internet Explorer, Chrome and Firefox, are all being patched and/or upgraded on a fairly frequent basis for a couple of years. Besides Microsoft's once-a-month (sometimes more) patches for IE, Chrome and Firefox are now on much faster update/patch cycles, and I think that has cut down on the number of issues with browser-based malware attacks.