Web app security fixes down to 11 days in 2013

Web-based software

Web app security fixes down to 11 days in 2013

Warwick Ashford

Suppliers of web applications took nearly two weeks on average to release critical security updates after being notified of a vulnerability in 2013, research has revealed.

But this is a 35% improvement on the year before, according to the latest Web Application Security Trends report by Swiss information security firm High-Tech Bridge.

security concept.jpg

The average time to patch critical risk vulnerabilities reduced from 17 days in 2012 to 11 days in 2013, while response times improved by 33% across all levels of risk to 18 days on average.

The report stated many of the suppliers notified of a vulnerability by High-Tech Bridge reacted within hours and released a security patch in a couple of days.

The vast majority of suppliers alerted their users to the vulnerabilities identified in a fair and rapid manner, but not all.

“Eleven days to patch critical vulnerabilities is still a fairly long delay,” said Ilia Kolochenko, chief executive officer of High-Tech Bridge.

“But, thankfully, even though serious vulnerabilities are becoming more complex to detect and exploit, there are vendors such as BigTree CMS who are responding to even complex vulnerabilities in less than three hours,” he said.

Security message finally sinking in

The latest report said general awareness among suppliers about the importance of application security is also growing, with many finally taking security seriously.

In the past, even well-known suppliers postponed security-related fixes in favour of releasing new versions of their software with new functionality and unpatched vulnerabilities, the report said.

In 2013, however, no big supplier adopted this “dangerous approach” of prioritising functionality over security, the report said.

According to High-Tech Bridge, only three of the 62 security advisories released by the firm in 2013 remain unpatched.

The report said despite better coding practices making serious vulnerabilities in mature apps difficult to find, there were cases where this was undermined by basic mistakes.

Failure to delete installation scripts, for example, enables cyber criminals to compromise an entire application, the report said.

“This highlights the importance of independent security testing and auditing of web applications, as even professional developers may simply miss or forget to control vital security points,” said Kolochenko.

Many of the vulnerabilities previously rated as high or critical risk were downgraded to medium risk in advisories in 2013 because their exploitation required the attacker to be authenticated or logged in.

“This confirms that web developers should also pay attention to security for parts of the application accessible only to “trusted” parties, who may in fact be quite hostile,” said Kolochenko.

In-house apps, XXS and SQLi most vulnerable 

Combining its security research with statistics from its web application security testing software and penetration testing, High-Tech bridge found in-house applications to be the most vulnerable.

In-house applications made up 40% of the most vulnerable apps, followed by plug-ins and modules for content management systems (30%), small content management systems (25%) and large content management systems like WordPress (5%).

Cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities are still the most common weaknesses, making up 55% and 20% of all vulnerabilities found in 2013 respectively.

However, 90% of large and medium-sized content management systems are vulnerable to XSS and SQL because they are not up to date or are incorrectly configured, said Marsel Nizamutdinov, chief research officer at High-Tech Bridge.

“However, we have made great progress in terms of positive impact our research brings to the industry, with tens of thousands of popular websites no longer at risk of compromise thanks to our efforts and collaboration with software suppliers,” he said.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy