Cenzic VNUNET.fr Online Coverage

Christophe Lagane, vnunet Aug.06/2007.

More then 70% of the vulnerabilities come from web technologies. According to the company Cenzic, the number of declared vulnerabilities has increased by 7% during the second trimester.

With the occasion of the Black Hat 2007 event in Las Vegas (Jun.28-Aug.06), Cenzic - a company specialized in the research of computer breaches - presented their report on the second trimester about web application security. In one trimester, the enterprise counted 1484 newly declared vulnerabilities. A tendency 7% higher compared to the report from the previous trimester.

72% of the breaches come from web technologies, over applications, with the servers and browsers. "What is alarming, is that 65% of those vulnerabilities were easy to exploit", noted the enterprise.

Thousands of non-declared vulnerabilities

Still according to Cenzic, Internet Explorer is the least secure browser associated with 33% of the vulnerabilities, followed by Firefox (26%) and Opera (21%). Cross-Site Scripting, SQL Injection and File Inclusion (error of inclusion) compose the majority of the exploited vulnerabilities. The first two represent by themselves 80% of the breaches (of which 60% solely based on the Cross-Site Scripting method). Applications written in PHP count for 30% of the vulnerabilities. However, the language it-self is only responsible for 2% of the breaches, clarifies Cenzic.

According to the security enterprise, this is only the top of the iceberg. According to it, less than 5% of the applications are tested to reveal potential security breaches. "With about 400 new vulnerabilities each month, counted towards the declared vulnerabilities, we think that there are thousands of non-published ones, because nobody reports them, or because they were found in newly established applications", estimates Cenzic.