It may not seem like it, but the security of Web applications is improving.
That’s the finding of the research lab division of Switzerland-based High-Tech Bridge, a penetration testing and computer forensics firm.
In a recent report it concluded Web application vendors were more responsive and issued security patches last year for problems such as SQL injection vulnerabilities and cross-site scripting much faster than they did in 2012.
“Many vendors reacted to a vulnerability notification within several hours and released a security patch in a couple of days,’ the report says. “The vast majority of vendors alerted their end-users about vulnerabilities in a fair and rapid manner.”
As a result silent patching and risk underscoring are becoming rare among medium-sized and well-established web application vendors, it says.
Specifically, the average time to issue what High-Tech considered a critical risk vulnerability dropped to 11 days last year from 17 in 2012; for high risks to 13 days from 12; and for medium risks to 35 days from 48 days.
Why? “Vendors finally started taking security seriously,” the report says. Until recently software developers often waited to release security fixes to go along with new versions of an application. Last year no big vendor adopted what the report calls “this dangerous approach of prioritizing functionality while sacrificing security.”
Only three of 62 security advisories issues by High-Tech in 2013 remain unpatched, it says.
Still, the company says, 11 days to release a patch is “a fairly long delay.”
Of all vulnerabilities found by High-Tech, 55 per cent were cross-site scripting problems, followed by SQL injections with 20 per cent.
Ninety per cent of large and medium-size commercial and open-source content management systems prone to XSS and SQL injection attacks are vulnerable because they are not up-to-date or are incorrectly configured, the report also said.
