Internet Security No Comments »
Research Shows New Security Threats Confront Web-Based Applications
Bot Storming, ‘Google Hacking’ and Directed Attacks Emerge as Today’s Most Imminent Threats
SAN FRANCISCO, Calif., July 17 — Fortify Software Inc., the leading provider of products that identify and remediate security vulnerabilities in software to mitigate enterprise security risk, today announced the results of the first empirical research into attacks that specifically target Web-based applications. After collecting data from a wide variety of its customers’ Web applications over the course of six months, Fortify identified four primary attack methods that present an imminent threat to Web-based applications today, including bot storming, Google hacking, directed attacks and attacks from a wide range of global sources.
– Bot Storming: Over half of the attacks on Web applications over the
six month period were generated by automated probes, bots, or bot
networks searching for unprotected or unpatched components of Web
applications. Probes of this type can be negligible or catastrophic,
depending on the way Web applications are built, and can be a
forerunner to Internet worms and directed attacks.
— Google Hacking: Over 20 percent of all security events in the Fortify
monitoring pool were the result of hackers accessing Web site
vulnerability information stored in search engine indices. For
example, a Web application may report diagnostic information if a Web
page is broken. Hackers can use information stored in search engine
indices of that site to map out the components and internal structure
of the application.
— Directed Attacks: These Web application-specific attacks are less
frequent, but are much more sophisticated and dangerous to Web
applications. The techniques most often noted were cross-site
scripting, SQL injection and buffer overflow attacks.
— Global Attack Base: Fortify’s research revealed a wide range of attack
origination points, including the United States, China, Poland,
Australia, and many other countries, reflecting an increasingly global
attack base. In addition, the use of anonymizing technologies and
proxy servers continues to mask the true locations of Web application
attack sources, reflecting their "invisible" nature.
"There is a wealth of research covering viruses, network-based attacks, public vulnerability announcements, spam, and phishing schemes, but very little focusing on Web-enabled applications that sit beyond the reach of firewalls and traditional network security," said Brian Chess, Chief Scientist, Fortify Software. "With today’s consumers and businesses depending on Web applications, such as ecommerce and financial services applications that contain sensitive customer information, it’s critical that businesses understand the risk exposure of their applications and take the necessary steps to avoid dangerous security attacks."
Data for this report was collected from a wide range of enterprises that use Fortify Application Defense who agreed to share their data for the expressed purpose of highlighting key findings and trends on real-world attack patterns. The full report, along with recommended actions to take to prevent attacks on web-based and other software applications can be found at www.fortifysoftware.com/threatreport.jsp.
About Fortify Software, Inc.
Fortify Software products protect companies from the threats posed by security flaws in business-critical software applications. Its software security products, Fortify Source Code Analysis Suite, Fortify Security Tester and Fortify Application Defense, drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software is backed by leading investors, including Kleiner, Perkins, Caufield & Byers, and a world-class team of software security advisors and partners. More information is available at www.fortifysoftware.com.
Source: www.keepmedia.com 17-07-2006
Powered by Qumana