Fortify Software Identifies Threats to Web-Based Applications

WebKnowHow
Monday, July 17, 2006; 07:56 AM

Fortify Software, provider of products that identify and remediate security vulnerabilities in software, announced the results of the first empirical research into attacks that specifically target Web-based applications. After collecting data from its customers' Web applications over the course of six months, Fortify identified four primary attack methods that present an imminent threat to Web-based applications today:

    -- Bot Storming:  Over half of the attacks on Web applications over the
       six month period were generated by automated probes, bots, or bot
       networks searching for unprotected or unpatched components of Web
       applications.  Probes of this type can be negligible or catastrophic,
       depending on the way Web applications are built, and can be a
       forerunner to Internet worms and directed attacks.
    -- Google Hacking:  Over 20 percent of all security events in the Fortify
       monitoring pool were the result of hackers accessing Web site
       vulnerability information stored in search engine indices.  For
       example, a Web application may report diagnostic information if a Web
       page is broken.  Hackers can use information stored in search engine
       indices of that site to map out the components and internal structure
       of the application.
    -- Directed Attacks:  These Web application-specific attacks are less
       frequent, but are much more sophisticated and dangerous to Web
       applications.  The techniques most often noted were cross-site
       scripting, SQL injection and buffer overflow attacks.
    -- Global Attack Base:  Fortify's research revealed a wide range of attack
       origination points, including the United States, China, Poland,
       Australia, and many other countries, reflecting an increasingly global
       attack base.  In addition, the use of anonymizing technologies and
       proxy servers continues to mask the true locations of Web application
       attack sources, reflecting their "invisible" nature.
       
"There is a wealth of research covering viruses, network-based attacks, public vulnerability announcements, spam, and phishing schemes, but very little focusing on Web-enabled applications that sit beyond the reach of firewalls and traditional network security," said Brian Chess, Chief Scientist, Fortify Software. "With today's consumers and businesses depending on Web applications, such as ecommerce and financial services applications that contain sensitive customer information, it's critical that businesses understand the risk exposure of their applications and take the necessary steps to avoid dangerous security attacks."