45% of the web resources of the largest Russian companies contain critical vulnerabilities

    Web applications have long become an integral part of the corporate information system of any modern organization, regardless of its type of activity. Own web resources are created not only by commercial companies, but also by government agencies that develop web services to provide online services.

    Despite all the advantages of web applications, vulnerabilities in them are one of the most common ways of penetrating corporate information systems. This is confirmed by statistical studies conducted annually by Positive Technologies experts.

    The subject of the study was 67 resources of the largest Russian organizations in the state and industrial sectors, telecommunications and IT (banking systemsdedicated to a separate work ).

    Note: the study analyzed the data obtained during the assessment of the security level of web applications in 2012.

    The most common vulnerabilities


    The 10 most common vulnerabilities included two critical vulnerabilities - “Implementation of SQL statements” and “Directory traversal”, which affect 33% and 18% of the investigated web resources, respectively.

    In 2012, the Fingerprinting information disclosure vulnerability, which allows identifying software and preparing a bridgehead for an attack, was most widespread: three quarters of the investigated resources are affected by this drawback (73%). In second place with 63% is cross-site scripting. Almost half of the systems (46%) have errors that automatically select credentials and user passwords (Brute Force).

    image

    Vulnerabilities in Web Development Tools


    According to the results of the study, 83% of web applications developed in PHP contain critical vulnerabilities, the remaining 17% of such systems contain medium and low risk vulnerabilities. Perl comes second: nearly a third of systems contain high-risk vulnerabilities.

    image

    Vulnerabilities specific to various web servers


    In 2012, Web applications using the Apache web server were the most vulnerable to high-risk vulnerabilities: 88% of them contain critical security flaws. In second place is Tomcat - 75% of high-risk errors. Nginx took the third place with 43% of vulnerable resources, and the IIS web server (14%) became the most secure.

    Recall that according to the results of the previous study, the most vulnerable were the Nginx and Apache web servers.

    image

    Most web server vulnerabilities are caused by administrative errors, the most common of which is Information Leakage.

    Industry Vulnerabilities


    The maximum concentration of web applications containing high-risk vulnerabilities was identified in the telecommunications industry - 78%. In the industrial sector, exactly half (50%) of the resources contain critical security flaws, followed by sites of IT and information security companies with a small margin (45%). As for government organizations, approximately every third (27%) web application in this area contains a high-risk vulnerability.

    image

    conclusions


    In general, compared with 2011, the average level of security for web applications has become slightly higher: in particular, the percentage of sites containing critical vulnerabilities has decreased by 15% and amounted to almost 45%. Positive Technologies experts found only one infected web application, while previously 10% of sites contained malicious code. On the other hand, there are signs of stagnation: the share of web applications with high-risk vulnerabilities in the industrial sector has not changed, and the sites of the telecom sector increase the level of security very slowly.

    The full version of the study can be found on the website of Positive Technologies .

    Also popular now: