Leading Research Team Predicts Increase in Threats Related to Rapid Application Development, File Formats and Web 2.0
ATLANTA,
Dec. 6 /PRNewswire/ -- S.P.I. Dynamics, Inc. (www.spidynamics.com), the
leading provider of Web application security testing software and
services, today released research from its SPI Labs division predicting
the top Web application security threats for 2007. The research found
that software developers who embrace Rapid Application Development
(RAD) to bring solutions to market faster will only add to the growing
number of application security defects hackers can target unless
security is embedded in key phases of the application development
lifecycle. In addition, hackers will likely escalate the use of file
format attacks and bridge hacking to stealthily seize confidential data.
"Not surprisingly, the 2006 SANS Top 20 list revealed that Web application vulnerabilities are increasingly being exploited and we can expect to see Web application threats rise and become more critical in 2007," said Caleb Sima, CTO and co-founder of SPI Dynamics. "As the security landscape continues to evolve and hackers improve their techniques, CSOs and development organizations need to look beyond their firewalls and anti-virus solutions to identify and fix the most inevitable targets for identity theft and phishing attacks -- the vulnerabilities found in their Web applications.
While the concept of securing applications during the development phase through input validation is one that has been around for over thirty years, it is still the most ignored, common sense solution to preventing these threats."
In no particular order, the most prevalent security trends identified by SPI Labs for 2007 include:
* RAD becomes BAD - An increasingly popular trend, RAD focuses on the
increased speed of application development. While increased quality is
also a goal of RAD, in reality, quality is often sacrificed in order to
meet deadlines. This includes proper security testing during the design
and development phase which is often ignored and this unfortunate
oversight can and will lead to additional security vulnerabilities and
attack vectors if organizations do not implement security throughout key
phases of the application development lifecycle.
* File Format Vulnerabilities: Yet Another Avenue for Phishing Attacks -
These vulnerabilities don't lie in the actual file, the vulnerability is
present in the application that interprets the file. As a result, a
single malicious file can exploit multiple applications leveraging the
same faulty libraries. File formats are a key vector for spear phishing
attacks and there are many popular targets for these types of attacks,
such as graphical programs, word processors, media players, Web browsers
and spreadsheet applications. Due to the complexity of many file
formats, these vulnerabilities are on the rise. This is underscored by
the fact that during 2006, Microsoft issued two out-of-cycle patches for
file format vulnerabilities and over the past two years, approximately a
quarter of its patches released were directly related to this class of
vulnerabilities.
* Hacking Along Bridges - Why wouldn't Hackers Take the Easiest Route? -
This new trend involves a link or "bridge" between two sites where one
is able to send search requests to another much larger site, such as
Amazon or Maps.com. Because the bridge doesn't have its own security
measures, it creates an easy avenue for hackers to attack the larger,
more desirable site. By hacking along bridges, attackers essentially
piggyback on the trust between the two sites, gain an extra layer to
hide behind and are able to attack the desired site quickly. As bridges
continue to grow in popularity, hackers will increasingly exploit these
vulnerabilities.
* Insecure Embedded Web Applications: Don't Forget Those Printers! - All
hardware including printers and routers run Web application servers
which are properly updated as they are not commonly seen as vectors for
security attacks. Moreover, these devices generally represent trusted
systems within your network, which make them targets for attacks on
other systems. For example, a vulnerable switch could be configured to
re-route traffic to the attacker. Without patches and updates, these
hardware based Web applications will always remain vulnerable and
present a significant insider threat.
* Web 2.0: A Hacker's Dream - As more dynamic and interactive Web 2.0
applications explode in 2007, we will continue to see an increase in
vulnerabilities brought forth by the new attack vectors Web 2.0 offers
hackers. While Web 2.0 promises to make Web applications such as AJAX,
SOAP and RSS more usable and connect us in ways that we've never
imagined, we must not make the mistake of ignoring security while
increasing the complexity of Web applications.
* Client Side Attacks Come of Age - Historically, we have considered
server side vulnerabilities to exceed their client side counterparts in
terms of vulnerability severity. That logic is being turned on its head
with the advent of phishing attacks and identity theft, which have
exploded in recent years. Client side vulnerabilities such as those
found in Web browsers have become the facilitators which make these
attacks possible.
* Web Application Worms - Attackers are leveraging vulnerabilities in
popular Web applications to spread malicious code among the users of
those sites. Web-based worms have proven to be a highly successful means
of conducting blanket phishing attacks against the millions of
unsuspecting users that frequent such sites who can become victims
simply by visiting an infected Web page. The vulnerabilities arise due
to relaxed rules on client provided script, an increasingly popular
trend as it allows users to produce dynamic personalized content. Yahoo!
and MySpace have fallen victim to such attacks and others are expected
to emerge in the coming year.
"While SQL injection and Cross-Site Scripting attacks will continue to drive incidents of phishing and identity theft, security managers need to be aware of the next generation of threats and begin taking measures to protect against them," said Michael Sutton, Security Evangelist for SPI Dynamics.
"It is crucial that security is embedded into every phase of the software development lifecycle so that potential security defects are corrected at the source as this is the best defense against these threats."
For more educational information on cutting-edge Web application security research from the experts in SPI Labs including trend articles, white papers, Webcasts, podcasts and presentations, please visit http://www.spidynamics.com/spilabs/index.html.
About S.P.I. Dynamics, Inc.
SPI Dynamics delivers a comprehensive suite of products and services
(http://www.spidynamics.com/products/index.html) that help to identify and remediate Web application and Web services security vulnerabilities found at key stages throughout the Web Application Lifecycle. SPI Dynamics solutions enable security professionals, QA testers, and developers to work together to assess, analyze, and remediate Web applications and Web services for security vulnerabilities, and verify compliance with over 20 security policies like SOX, HIPAA and PCI. The Company's unique approach, utilizing patent-pending Intelligent Engines(TM) technology combined with the largest Web application security vulnerability knowledgebase in the industry, delivers unparalleled speed and accuracy. SPI Dynamics' research and development team, SPI Labs, is widely recognized as one of the world's leading authorities on Web application security and risk management. The Company has over 850 customers among Global 2000 enterprises, including over 90 U.S. Federal accounts, and has strategic partnerships with Microsoft, IBM, Mercury, CSC and Visa, with Visa investing in the Company in 2005. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. For more information on Web application security, visit www.spidynamics.com or call
(866) 774-2700.
Start Secure. Stay Secure. is a registered trademark, and Intelligent Engines is a trademark of S.P.I. Dynamics, Inc. Product or service names mentioned herein are the trademarks of their respective owners.
|
