Almost nine out of 10 custom-built web-facing applications contain severe vulnerabilities that could expose organisations to a serious attack, according to an expert at HP.
"Some 86 per cent of the web applications that we analysed as part of HP Fortify had an SQL injection vulnerability of some kind of other," said Simon Leech, pre-sales director EMEA at HP.
An SQL injection vulnerability enables an attacker to compromise the database back-end of an application by entering SQL commands – often disguised as a legitimate query – into a web-facing interface. Recent attacks against Sony, for example, which yielded customers' credit card details, and RSA Security were perpetrated using SQL injection attack techniques. It is also a favoured technique of hacking groups Anonymous and LulzSec, according to Leech.
Custom-developed applications are at greater risk than commercially developed applications because fewer people and organisations are testing them regularly for potential vulnerabilities.
"If a bank or insurance company develops a piece of software, it will become a nice target for someone to break into if they find a vulnerability, because there's nobody actively patching it or particularly looking after it," said Leech.
Even in commercial software, while the number of vulnerabilities fell from a record high in 2006, their severity has increased, said Leech. The 2006 peak, he added, was when "fuzzing" was at its height – a automatic or semi-automatic software testing technique used to find holes in commercial software, although they would not necessarily be serious flaws.
Today, though, serious security vulnerabilities – ones that could expose an application to remote code execution and, hence, the "pwning" of a system by an attacker – account for one-quarter of all reported security flaws in commercial software.