PALO ALTO, Calif., April 19, 2012
“To protect organizations against a wide range of attacks, HP has established a global network of security researchers who look for vulnerabilities that were not publicly disclosed,” said Michael Callahan, vice president, Worldwide Product and Solution Marketing, Enterprise Security Products, HP. “The intelligence gained from this research group is built into HP enterprise security solutions in an effort to proactively reduce risk.”
Shifting vulnerability landscape
Disclosure of new vulnerabilities in commercial applications has slowly declined since 2006, dropping nearly 20 percent in 2011 from the previous year. However, data from the report demonstrates that this decline does not signify decreased risk.
- - Although vulnerability reports have declined, attacks on web applications have more than doubled as measured by HP TippingPoint Intrusion Prevention Systems (IPS) in the second half of 2011.
- - Nearly 24 percent of new vulnerabilities disclosed in commercial applications in 2011 have a severity rating of 8 to 10. These vulnerabilities can result in a remote code execution, the most dangerous type of attack.
- - Roughly 36 percent of all vulnerabilities are in commercial web applications.
- - Approximately 86 percent of web applications are vulnerable to an injection attack, which is when hackers access internal databases through a website.
- - Due to a high success rate, web exploit toolkits continued to be popular in 2011. These “packaged” attack frameworks are traded or sold online, enabling hackers to access enterprise IT systems and steal sensitive data. For example, the Blackhole Exploit Kit is used by most cybercriminals, and reached an unusually high infection rate of more than 80 percent in late November 2011.
The Cyber Security Risks Report has been published every six months since 2009 by HP DVLabs, a premier research organization for vulnerability analysis and discovery. HP DVLabs analyzed security exploit data from thousands of deployed HP TippingPoint Intrusion Prevention Systems (IPS). The data was then correlated with information from the following sources:
- The Zero Day Initiative, a research program managed by HP DVLabs that is designed to improve security by identifying software flaws which have led to cyber attacks and security breaches.
- Open Source Vulnerability Database, an independent and open source database created by and for the security-vulnerabilities community.
- Web application data from the HP Fortify Application Security Center (ASC) Web Security Research Group, which helps security professionals, quality assurance (QA) specialists and developers facilitate the security of web applications across the enterprise, HP Software Professional Services and HP Fortify on Demand.