Over the last few years, we have identified a number of common features and trends in system security, malicious attacks, and general web application testing. Of these, a number of the security testing issues are of some interest and can be addressed over time through a targeted approach.
In the last 18 months we have performed incident response and incident management for a relatively significant number of large clients. Through this, it is apparent that approximately 50% of the compromises that have taken place have done so through application level attacks. In general terms, the root cause of the attacks were:
1. Vendor provided software (including both off the shelf and custom) having a number of insecurities and software vulnerabilities which the customer was unaware of
2. A single source code web tin tức
resulting in a full compromise indicating a lack of a defence in depth strategy and implementation
Other points we have observed are that:
Server and Operating System level attacks are tending to plateau, with larger companies significantly worse than smaller companies in managing both vulnerabilities and insecurities.
There were relatively few "zero-day" attacks; most attacks were the result of automated tool scanning attacks.
The detection of attacks was in the main abysmal, with the compromises only being detected as a result of aberrant behaviour by systems.
We have also performed a huge amount of network and application intrusion testing (penetration testing) over the last few years, with a number of emerging trends:
Infrastructure level testing is seeing a reduction in insecurities, largely due to improved trends around vulnerability management.
A web application deployment by a fresh (new) client is likely to have a significant number of web application security issues, with everything from exposed databases through to SQL injection level attacks being possible. Further testing over time indicates that a relationship with a security company for source security testing purposes results in a reduction of insecurities in the web applications.
"The bigger they are, the harder they fall". There appears to be a defined trend towards the larger companies having a higher number of insecurities, particularly in the web application space. The root cause of this is unclear; however there is a relationship with outsourcing, and the need for a large organization to "secure everything". This also applies to smaller companies; however the smaller companies tend to have significantly less infrastructure to worry about.