Dramatic Rise In Vulnerabilities During 2006
The number of security vulnerabilities reportedly jumped successively in 2006 from the previous year, according to the Computer Emergency Response Team (CERT). As per submission of tallies of vulnerabilities by public and private sources to CERT Coordination Center, there were 8,064 flaws in 2006, which was found to be 35 percent more than the number in 2005.
Other vulnerability databases reported similar increases. These included the Open Source Vulnerability Database, the National Vulnerability Database, and the Symantec Vulnerability Database, as per Symantec's Security Focus. Symantec determined more than three-quarters of bugs had affected web applications during the first six months of 2006.
The most important factor behind the skyrocketing number of vulnerabilities is the ease with which the flaws play and are determined in community and commercial web applications, said Art Manion, vulnerability team leader for the CERT Coordination Center, in a report by Security Focus on January 21, 2007. Manion figured out that most of the increase in vulnerabilities was due to "easy to discover" flaws in Web applications. He said they are easy to create, install and find.
Security researchers should not find the burgeoning flaw numbers during 2006 as surprising. The same four databases recorded a jump in 2005 also due to the easy-to-find bugs in web applications.
CERT said the vulnerabilities were easy to spot with the help of code search tools for instance, as Google introduced recently. Moreover the applications attacked are often used by small businesses and individuals so they do not pose direct threat to larger enterprises.
Searching by using source code or Google code search can reveal several potential security items that can even let novice flaw finders detect possible security flaws.
CERT said overall the statistics show a real increase in the spread and vulnerability of web applications. The Center believes this dramatic increase will not be a permanent characteristic of the IT scenario. This is evident from the trend in the past years. While the number of flaws doubled in 2003 to 4,129 it declined to 3,784 in 2004 and remained steady in 2005, before going up again in 2006.
» SPAMfighter News - 25-01-2007