Web and mobile applications are the new frontiers in the war against cyber attack, according to the latest top cyber security risks report from Hewlett Packard.
The report reveals that SQL injection (SQLi) attacks on web applications have increased sharply from around 15 million in 2010 to more than 50 million in 2011.
In 2011, SQLi attacks represented the most popular technique used against web applications, with three times as many SQLi attacks than PHP file inclusion and cross-site scripting attacks combined.
"Good software should not introduce security vulnerabilities, yet 86% of web applications analysed had some kind of vulnerability," said Simon Leech, presales director, HP Enterprise Security.
Web application vulnerabilities account for 36% of all vulnerabilities, the report said, exacerbated by customisation and add-ons.
Static analysis revealed simple coding mistakes result in significant numbers of vulnerabilities, with 54% containing cross-site scripting flaws and 86% containing injection flaws.
"While not all code level vulnerabilities will be attacked, these can result in loss of compliancy or data sharing that can fuel attacks in other areas," the report said.
Dynamic analysis of the web applications in use showed 74% were vulnerable to cross-site scripting attacks and 12% were vulnerable to injection flaws.
The report said that while these numbers are smaller, they are not less risky, as vulnerabilities are difficult to detect and defend against without hindering business.
The research showed the number of attack types conducted against mobile applications is also on the rise.
"Mobile application security is still in its infancy, but a minimal approach is inadequate," said Leech, noting that many applications are "designed to leak data" and that "no platform is safe".
Regardless of platform, he said, the research shows web and mobile applications are rapidly becoming the primary target for attack.
The research data for the report is drawn from the Open Source Vulnerability Database, HP DVLabs Zero Day Initiative (ZDI), HP Fortify Web Security Research Group, and Fortify on Demand.
Attack information is drawn from a worldwide network of HP TippingPoint Intrusion Prevention Systems and exploit analysis from HP DVLabs.
10 May 2012