Web app security improving, slowly, says report

It may not seem like it, but the security of Web applications is improving.

That’s the finding of the research lab division of Switzerland-based High-Tech Bridge, a penetration testing and computer forensics firm.

In a recent report it concluded Web application vendors were more responsive and issued security patches last year for problems such as SQL injection vulnerabilities and cross-site scripting much faster than they did in 2012.

“Many vendors reacted to a vulnerability notification within several hours and released a security patch in a couple of days,’ the report says. “The vast majority of vendors alerted their end-users about vulnerabilities in a fair and rapid manner.”

As a result silent patching and risk underscoring are becoming rare among medium-sized and well-established web application vendors, it says.

Specifically, the average time to issue what High-Tech considered a critical risk vulnerability dropped to 11 days last year from 17 in 2012; for high risks to 13 days from 12; and for medium risks to 35 days from 48 days.

Why? “Vendors finally started taking security seriously,” the report says. Until recently software developers often waited to release security fixes to go along with new versions of an application. Last year no big vendor adopted what the report calls “this dangerous approach of prioritizing functionality while sacrificing security.”

Only three of 62 security advisories issues by High-Tech in 2013 remain unpatched, it says.

Still, the company says, 11 days to release a patch is “a fairly long delay.”

Of all vulnerabilities found by High-Tech, 55 per cent were cross-site scripting problems, followed by SQL injections with 20 per cent.

Ninety per cent of large and medium-size commercial and open-source content management systems prone to XSS and SQL injection attacks are vulnerable because they are not up-to-date or are incorrectly configured, the report also said.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now