Leading Research Team Predicts Increase in Threats Related to Rapid Application Development, File Formats and Web 2.0
ATLANTA,
Dec. 6 /PRNewswire/ -- S.P.I. Dynamics, Inc. (www.spidynamics.com), the
leading provider of Web application security testing software and
services, today released research from its SPI Labs division predicting
the top Web application security threats for 2007. The research found
that software developers who embrace Rapid Application Development
(RAD) to bring solutions to market faster will only add to the growing
number of application security defects hackers can target unless
security is embedded in key phases of the application development
lifecycle. In addition, hackers will likely escalate the use of file
format attacks and bridge hacking to stealthily seize confidential data.
"Not surprisingly, the 2006 SANS Top 20 list revealed that Web
application vulnerabilities are increasingly being exploited and we can
expect to see Web application threats rise and become more critical in
2007," said Caleb Sima, CTO and co-founder of SPI Dynamics. "As the
security landscape continues to evolve and hackers improve their
techniques, CSOs and development organizations need to look beyond
their firewalls and anti-virus solutions to identify and fix the most
inevitable targets for identity theft and phishing attacks -- the
vulnerabilities found in their Web applications.
While the concept of securing applications during the development
phase through input validation is one that has been around for over
thirty years, it is still the most ignored, common sense solution to
preventing these threats."
In no particular order, the most prevalent security trends identified by SPI Labs for 2007 include:
* RAD becomes BAD - An increasingly popular trend, RAD focuses on the
increased speed of application development. While increased quality is
also a goal of RAD, in reality, quality is often sacrificed in order to
meet deadlines. This includes proper security testing during the design
and development phase which is often ignored and this unfortunate
oversight can and will lead to additional security vulnerabilities and
attack vectors if organizations do not implement security throughout key
phases of the application development lifecycle.
* File Format Vulnerabilities: Yet Another Avenue for Phishing Attacks -
These vulnerabilities don't lie in the actual file, the vulnerability is
present in the application that interprets the file. As a result, a
single malicious file can exploit multiple applications leveraging the
same faulty libraries. File formats are a key vector for spear phishing
attacks and there are many popular targets for these types of attacks,
such as graphical programs, word processors, media players, Web browsers
and spreadsheet applications. Due to the complexity of many file
formats, these vulnerabilities are on the rise. This is underscored by
the fact that during 2006, Microsoft issued two out-of-cycle patches for
file format vulnerabilities and over the past two years, approximately a
quarter of its patches released were directly related to this class of
vulnerabilities.
* Hacking Along Bridges - Why wouldn't Hackers Take the Easiest Route? -
This new trend involves a link or "bridge" between two sites where one
is able to send search requests to another much larger site, such as
Amazon or Maps.com. Because the bridge doesn't have its own security
measures, it creates an easy avenue for hackers to attack the larger,
more desirable site. By hacking along bridges, attackers essentially
piggyback on the trust between the two sites, gain an extra layer to
hide behind and are able to attack the desired site quickly. As bridges
continue to grow in popularity, hackers will increasingly exploit these
vulnerabilities.
* Insecure Embedded Web Applications: Don't Forget Those Printers! - All
hardware including printers and routers run Web application servers
which are properly updated as they are not commonly seen as vectors for
security attacks. Moreover, these devices generally represent trusted
systems within your network, which make them targets for attacks on
other systems. For example, a vulnerable switch could be configured to
re-route traffic to the attacker. Without patches and updates, these
hardware based Web applications will always remain vulnerable and
present a significant insider threat.
* Web 2.0: A Hacker's Dream - As more dynamic and interactive Web 2.0
applications explode in 2007, we will continue to see an increase in
vulnerabilities brought forth by the new attack vectors Web 2.0 offers
hackers. While Web 2.0 promises to make Web applications such as AJAX,
SOAP and RSS more usable and connect us in ways that we've never
imagined, we must not make the mistake of ignoring security while
increasing the complexity of Web applications.
* Client Side Attacks Come of Age - Historically, we have considered
server side vulnerabilities to exceed their client side counterparts in
terms of vulnerability severity. That logic is being turned on its head
with the advent of phishing attacks and identity theft, which have
exploded in recent years. Client side vulnerabilities such as those
found in Web browsers have become the facilitators which make these
attacks possible.
* Web Application Worms - Attackers are leveraging vulnerabilities in
popular Web applications to spread malicious code among the users of
those sites. Web-based worms have proven to be a highly successful means
of conducting blanket phishing attacks against the millions of
unsuspecting users that frequent such sites who can become victims
simply by visiting an infected Web page. The vulnerabilities arise due
to relaxed rules on client provided script, an increasingly popular
trend as it allows users to produce dynamic personalized content. Yahoo!
and MySpace have fallen victim to such attacks and others are expected
to emerge in the coming year.
"While
SQL injection and Cross-Site Scripting attacks will continue to drive
incidents of phishing and identity theft, security managers need to be
aware of the next generation of threats and begin taking measures to
protect against them," said Michael Sutton, Security Evangelist for SPI
Dynamics.
"It is crucial that security is embedded into every phase of the
software development lifecycle so that potential security defects are
corrected at the source as this is the best defense against these
threats."
For more educational information on cutting-edge Web
application security research from the experts in SPI Labs including
trend articles, white papers, Webcasts, podcasts and presentations,
please visit http://www.spidynamics.com/spilabs/index.html.
About S.P.I. Dynamics, Inc.
SPI Dynamics delivers a comprehensive suite of products and services
(http://www.spidynamics.com/products/index.html)
that help to identify and remediate Web application and Web services
security vulnerabilities found at key stages throughout the Web
Application Lifecycle. SPI Dynamics solutions enable security
professionals, QA testers, and developers to work together to assess,
analyze, and remediate Web applications and Web services for security
vulnerabilities, and verify compliance with over 20 security policies
like SOX, HIPAA and PCI. The Company's unique approach, utilizing
patent-pending Intelligent Engines(TM) technology combined with the
largest Web application security vulnerability knowledgebase in the
industry, delivers unparalleled speed and accuracy. SPI Dynamics'
research and development team, SPI Labs, is widely recognized as one of
the world's leading authorities on Web application security and risk
management. The Company has over 850 customers among Global 2000
enterprises, including over 90 U.S. Federal accounts, and has strategic
partnerships with Microsoft, IBM, Mercury, CSC and Visa, with Visa
investing in the Company in 2005. SPI Dynamics is privately held with
headquarters in Atlanta, Georgia. For more information on Web
application security, visit www.spidynamics.com or call
(866) 774-2700.
Start
Secure. Stay Secure. is a registered trademark, and Intelligent Engines
is a trademark of S.P.I. Dynamics, Inc. Product or service names
mentioned herein are the trademarks of their respective owners.
Trackback(0)
Comments 
Write comment
 |
TrackBack URI for this entry
Show/hide comment form