Web 2.0 technologies are fraught with vulnerabilities. Seventy-one percent of all security vulnerabilities were attributed to both open source and commercial Web applications, according to a report by security firm Cenzic Inc., "Application Security Trend Report for Q4 2007."
But before you freak out, let's put this in perspective. Cenzic is a security firm, which offers many products, which boast "complete web application security vulnerability management, and security enforcement assessment software." With software like that to sell, their report surely isn't going to tell you that Web apps are safe and secure. This is fine, because as we all know they are not. So let's take a look at their findings.
* Applications written in PHP
comprise roughly 30 percent of all vulnerabilities.
* Roughly 70 percent of the reported vulnerabilities are easily or trivially exploitable.
* Vulnerabilities in Web server or Web application server technologies comprised around 10 percent of the total reported Web application vulnerabilities.
* Vulnerabilities in Web browsers comprised roughly 5 percent of the total reported application vulnerabilities -- down three percent from Q3 2007.
also focused on the Web application hacking techniques
From its research, Cenzic selected the Top Five Web hacking trends of 2007:
Trickery: Hiding, Anti-Pinning, and Mutating
* Universal XSS in Adobe Acrobat Reader
* Mass-SQL Injection
* Google Gadgets, and Gmail
* ORKUT XSS Worm
Ultimately, after analyzing vulnerabilities across high-level categories, web browser, probe and attack data by incident, category and sector and attacker motivation, Cenzic summarized that:
"Despite the growing importance that many organizations place on protecting confidential user data, architectural and design flaws, as well as insecure application configurations are still common culprits in the exposure of sensitive user information."
It's hardly revolutionary to suggest that with any new technology there will be vulnerabilities. It's unsettling, but not unexpected. It's a lesson in due diligence and in keeping up-to-date with the latest releases and news.
Like other crucial elements to the user experience, the security of your web applications is not one to let fall by the way-side.