This problem is thornier than anticipated, and global. Japanese vulnerability assessment vendor NRI Secure Technologies says of the 169 Websites it conducted vulnerability testing on last year, 41 percent had gaps that would allow unauthorized access to users private information, and another 30 percent had flaws that made information leakage possible. Only 29 percent were found to have no high-risk flaws. And these weren’t mom-and-pop shops—more than half were financial services Websites, and 75 percent were among the largest companies listed on the Tokyo stock exchange.
As in years past, cross-site scripting was the most commonly detected vulnerability, with 60 percent of the high-risk holes attributed to this. SQL injection, spoofing and privilege escalation flaws rounded out the top four. One note for mobile banking providers: 25 percent of mobile sites surveyed were found to have “predictable session ID” flaws, a spoofing flaw in which “access becomes possible by guessing other user's session IDs based on the session ID issued by the web site after a successful log I,” NRI says.
Why all the holes, still? “One of the causes is the increasingly complex system development environment such as demand for speedy development, linkage and integration of multiple systems, development by multiple parties, and deployment of new technologies,” the vendor says. “It is hard to thoroughly confirm web site security measures without any omission unless a systematic approach is taken.”