HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

HP's "Top Cyber Security Threats" Report Helps to Navigate Stormy, Vulnerability-Infested Waters

"The fishermen know that the sea is dangerous and the storm terrible, but they have never found these dangers sufficient reason for remaining ashore."

 

-- Vincent van Gogh

 

Van Gogh is correct. In our increasingly-connected, ever-webby world, we can't let fear of the threatening stormclouds of bad guys stop us from maximizing our business and personal returns. I would have added a second sentence, however: "Successful fishermen who stay alive understand the sea's danger and how to mitigate risk before they leave shore."

 

In that spirit, HP announced yesterday the release of the "2010 Top Cyber Security Risks" report. Largely powered by the big brains at HP Tipping Point's DV Labs (with assistance from some of us in Application Security Center - especially our blogmeister Mark Painter), the report paints a stark picture of the vulnerability landscape.

 

The good news - and we'll take good news where we can find it - is that, though raw vulnerability numbers went up about 10% from 2009 to 2010, that number has largely stabilized over time. Development teams now at least know how to spell "SDLC", and this awareness has led to a plateau in vulnerability disclosure numbers - however, almost 8,000 vulnerabilities were disclosed last year, and attackers are making hay with existing vulnerabilities.

 

Not surprisingly, web application vulnerabilities constitute half of all reported vulnerabilities for 2010. 2010 saw increases in reported cross-site scripting and cross-site request forgery vulnerabilities. In order to corroborate and amplify this data, we in the Application Security Center took the next step to report results across a group of real scans of real applications. We found that a staggering 71% of these suffered from a cross site scripting, SQL injection, or command execution vulnerability. More than 60% of the assessed applications were subject to potential cross-site scripting attacks.  49% were susceptible to SQL injection or critical command execution exploits, and 22% were vulnerable to both cross-site scripting AND SQLi.

 

Other attack methods described and enumerated within the report include malicious botnets, PHP remote file includes, denial of service, and web exploit toolkits.

 

I highly recommend that you take time to digest the findings in this report: It's a good-but-sobering read that describes the choppy waters we must navigate each day.

 

 

 

Comments
KSUOwlette | ‎04-06-2011 10:55 AM

I always enjoy your metaphors for the app security world. Interesting and informative read, yet again.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Top Kudoed Posts
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.