Over the last few years, we have identified a number of common features and trends in system security, malicious attacks, and general web application testing. Of these, a number of the security testing issues are of some interest and can be addressed over time through a targeted approach.

In the last 18 months we have performed incident response and incident management for a relatively significant number of large clients. Through this, it is apparent that approximately 50% of the compromises that have taken place have done so through application level attacks. In general terms, the root cause of the attacks were:

1. Vendor provided software (including both off the shelf and custom) having a number of insecurities and software vulnerabilities which the customer was unaware of

2. A single source code web tin tức resulting in a full compromise indicating a lack of a defence in depth strategy and implementation

Other points we have observed are that:

Server and Operating System level attacks are tending to plateau, with larger companies significantly worse than smaller companies in managing both vulnerabilities and insecurities.

There were relatively few "zero-day" attacks; most attacks were the result of automated tool scanning attacks.

The detection of attacks was in the main abysmal, with the compromises only being detected as a result of aberrant behaviour by systems.

We have also performed a huge amount of network and application intrusion testing (penetration testing) over the last few years, with a number of emerging trends:

Infrastructure level testing is seeing a reduction in insecurities, largely due to improved trends around vulnerability management.

A web application deployment by a fresh (new) client is likely to have a significant number of web application security issues, with everything from exposed databases through to SQL injection level attacks being possible. Further testing over time indicates that a relationship with a security company for source security testing purposes results in a reduction of insecurities in the web applications.

"The bigger they are, the harder they fall". There appears to be a defined trend towards the larger companies having a higher number of insecurities, particularly in the web application space. The root cause of this is unclear; however there is a relationship with outsourcing, and the need for a large organization to "secure everything". This also applies to smaller companies; however the smaller companies tend to have significantly less infrastructure to worry about.