martes, 26 de octubre de 2010

80% of web applications can't pass a PCI audit

During recent in-depth security reviews of almost 3,000 applications, it was discovered that over 80% of web applications don't comply with the OWASP Top 10 list of critical web application errors and subsequently couldn't pass a PCI compliance audit. Obviously, application security still has a long way to go. It's overly simplistic, but being in compliance with regulations like PCI provides a good baseline of security. You can still be hacked if you are in compliance with PCI or HIPAA or anything else, but the chances that your organization will find itself in the news because of a breach are significantly reduced.  There are far easier targets.

It was also discovered that over 80% of third-party code failed security tests. According to the report, anywhere from 30-70% of internally developed applications are comprised of third-party components. That number should clarify the danger of insecure third-party code just as much as Siemens Stuxnet did (probably the most famous to date example of a vulnerability resulting from insecure third-party code).

What will seem like common-sense after you hear software is more secure than either its in-house or commercial brethren. A lot. A whopping 93% of open source applications did not pose a potential security risk. Apparently many eyes (and many testers) can help to create more secure software.

As we’ve repeatedly seen over the past couple of years, Cross-Site Scripting remains main web application vulnerability. The report notes that a full 51% of the vulnerabilities discovered in these applications was Cross-Site Scripting.

Something of a  bright spot, though...the average time for organizations to fix security defects has now shrunk from 36-82 days to 12-19. That's a significant drop. At least it's a start...and a good one, at that.

Visto en HP

No hay comentarios: