Over the last few years, we have identified a number of common characteristics and trends in system safety, malicious attacks, and standard web application testing. Of these, some of the safety testing problems are of some interest and may be addressed over time through a targeted strategy. Through this, it is apparent that roughly 50 percent of the compromises which have taken place have done so through application level attacks. Generally, the root cause of the strikes was:
- Vendor supplied software including both off the shelf and custom having a range of insecurities and software vulnerabilities that the consumer was unaware of
- A single misconfiguration resulting in a full compromise indicating a lack of a defence in depth strategy and execution
Other things we have observed are that:
Server and Operating System level anti debugging attacks are tending to Plateau, with bigger companies significantly worse compared to smaller companies in handling both vulnerabilities and insecurities. There were comparatively few zero-day strikes; most Attacks were caused by automatic tool scanning attacks.
The discovery of attacks was at the primary abysmal, with the compromises only being detected as a consequence of aberrant behaviour by systems. We have also performed a Large Amount of network and application Intrusion testing penetration testing within the past couple of years, with a range of emerging trends:
Infrastructure level testing is seeing a reduction in insecurities, largely because of improved tendencies around vulnerability management. A web application deployment by a fresh new customer is likely to have a substantial number of web application security problems, with everything from exposed databases in anti debugging through to SQL injection level strikes being possible. Additional testing over time indicates a connection with a security firm for source security testing functions leads to a reduction of insecurities in the internet applications.
The bigger they are, the harder they fall. There seems to be a defined trend towards the larger companies having a greater number of insecurities, especially in the web application area. The main cause of this is uncertain however there is a connection with outsourcing, and the requirement for a large company to secure everything. This also applies to smaller businesses; however the smaller businesses often have significantly fewer infrastructures to worry about.
Certainly we have seen vulnerability management and investigation beginning to be implemented within organizations however it is only really the Network, operating system, and server levels which are being worked on by many companies. This is largely based around the notion that vulnerability scanning and remediation products and services are maturing within this space. Certainly When there are maturing tools in the application security testing area, they are still quite responsive, and will take quite a few years to be both adult and mainstream.