Web app security improving, slowly, says report

It may not seem like it, but the security of Web applications is improving.

That’s the finding of the research lab division of Switzerland-based High-Tech Bridge, a penetration testing and computer forensics firm.

In a recent report it concluded Web application vendors were more responsive and issued security patches last year for problems such as SQL injection vulnerabilities and cross-site scripting much faster than they did in 2012.

“Many vendors reacted to a vulnerability notification within several hours and released a security patch in a couple of days,’ the report says. “The vast majority of vendors alerted their end-users about vulnerabilities in a fair and rapid manner.”

As a result silent patching and risk underscoring are becoming rare among medium-sized and well-established web application vendors, it says.

Specifically, the average time to issue what High-Tech considered a critical risk vulnerability dropped to 11 days last year from 17 in 2012; for high risks to 13 days from 12; and for medium risks to 35 days from 48 days.

Why? “Vendors finally started taking security seriously,” the report says. Until recently software developers often waited to release security fixes to go along with new versions of an application. Last year no big vendor adopted what the report calls “this dangerous approach of prioritizing functionality while sacrificing security.”

Only three of 62 security advisories issues by High-Tech in 2013 remain unpatched, it says.

Still, the company says, 11 days to release a patch is “a fairly long delay.”

Of all vulnerabilities found by High-Tech, 55 per cent were cross-site scripting problems, followed by SQL injections with 20 per cent.

Ninety per cent of large and medium-size commercial and open-source content management systems prone to XSS and SQL injection attacks are vulnerable because they are not up-to-date or are incorrectly configured, the report also said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now