45% of web resources of the largest Russian companies contain critical vulnerabilities
Web applications have long become an integral part of the corporate information system of any modern organization, regardless of the type of its activity. Own web resources are created not only by commercial companies, but also by government agencies that develop web services for the provision of online services.
Despite all the advantages of web applications, vulnerabilities in them are one of the most common ways to penetrate corporate information systems. This is confirmed by statistical studies conducted annually by Positive Technologies experts.
The subject of the study was 67 resources of the largest Russian organizations in the state and industrial sectors, telecommunications and IT (a separate work is devoted to banking systems).
')
Note: the study analyzed the data obtained during the work on assessing the level of web application security in 2012.
Among the 10 most common vulnerabilities are two critical ones - “Introduction of SQL statements” and “Directory traversal”, to which 33% and 18% of the studied web resources are exposed, respectively.
In 2012, the most widespread was the vulnerability of Fingerprinting information disclosure, which allows identifying software and preparing a springboard for an attack: three-quarters of the resources studied are affected (73%). Cross-site Scripting ranks second with 63%. Almost half of the systems (46%) contain errors that allow users to automatically select user credentials and passwords (Brute Force).
According to the results of the study, 83% of web applications developed in PHP contain critical vulnerabilities, the remaining 17% of such systems contain medium and low risk vulnerabilities. Perl comes second: nearly a third of systems contain high-risk vulnerabilities.
In 2012, Web applications using the Apache web server were most vulnerable to high-risk vulnerabilities: 88% of them contain critical security flaws. Tomcat ranks second with 75% high-risk errors. Nginx ranked third with 43% of vulnerable resources, and IIS web server was the safest (14%).
Recall that, according to the results of the previous research, the most vulnerable Web servers are Nginx and Apache.
Most web server vulnerabilities are associated with administrative errors, the most common of which is Information Leakage.
The maximum concentration of web applications containing high-risk vulnerabilities was detected in the telecommunications industry - 78%. In the industrial sector, exactly half (50%) of resources contain critical security flaws, then with a small margin followed by the websites of IT and IB companies (45%). As for government organizations, approximately every third (27%) web application in this area contains a high level of risk vulnerability.
In general, compared to 2011, the average level of web application security has become slightly higher: in particular, the proportion of sites containing critical vulnerabilities has decreased by 15% and amounted to almost 45%. Positive Technologies experts found only one infected web application, whereas previously 10% of the sites contained malicious code. On the other hand, there are signs of stagnation: the share of web applications with high-level vulnerabilities in the industrial sector has not changed, and the telecom sector sites increase the level of security very slowly.
The full version of the study can be found on the website of Positive Technologies .
Despite all the advantages of web applications, vulnerabilities in them are one of the most common ways to penetrate corporate information systems. This is confirmed by statistical studies conducted annually by Positive Technologies experts.
The subject of the study was 67 resources of the largest Russian organizations in the state and industrial sectors, telecommunications and IT (a separate work is devoted to banking systems).
')
Note: the study analyzed the data obtained during the work on assessing the level of web application security in 2012.
The most common vulnerabilities
Among the 10 most common vulnerabilities are two critical ones - “Introduction of SQL statements” and “Directory traversal”, to which 33% and 18% of the studied web resources are exposed, respectively.
In 2012, the most widespread was the vulnerability of Fingerprinting information disclosure, which allows identifying software and preparing a springboard for an attack: three-quarters of the resources studied are affected (73%). Cross-site Scripting ranks second with 63%. Almost half of the systems (46%) contain errors that allow users to automatically select user credentials and passwords (Brute Force).
Vulnerabilities common to various web development tools
According to the results of the study, 83% of web applications developed in PHP contain critical vulnerabilities, the remaining 17% of such systems contain medium and low risk vulnerabilities. Perl comes second: nearly a third of systems contain high-risk vulnerabilities.
Vulnerabilities common to various web servers
In 2012, Web applications using the Apache web server were most vulnerable to high-risk vulnerabilities: 88% of them contain critical security flaws. Tomcat ranks second with 75% high-risk errors. Nginx ranked third with 43% of vulnerable resources, and IIS web server was the safest (14%).
Recall that, according to the results of the previous research, the most vulnerable Web servers are Nginx and Apache.
Most web server vulnerabilities are associated with administrative errors, the most common of which is Information Leakage.
Vulnerabilities by industry
The maximum concentration of web applications containing high-risk vulnerabilities was detected in the telecommunications industry - 78%. In the industrial sector, exactly half (50%) of resources contain critical security flaws, then with a small margin followed by the websites of IT and IB companies (45%). As for government organizations, approximately every third (27%) web application in this area contains a high level of risk vulnerability.
findings
In general, compared to 2011, the average level of web application security has become slightly higher: in particular, the proportion of sites containing critical vulnerabilities has decreased by 15% and amounted to almost 45%. Positive Technologies experts found only one infected web application, whereas previously 10% of the sites contained malicious code. On the other hand, there are signs of stagnation: the share of web applications with high-level vulnerabilities in the industrial sector has not changed, and the telecom sector sites increase the level of security very slowly.
The full version of the study can be found on the website of Positive Technologies .
Source: https://habr.com/ru/post/199052/
All Articles