Aggressive initiatives by the makers of popular Web browsers including Google, Microsoft, and Mozilla to improve the security of their Web browsers appear to be paying off.
According to the Q3-Q4 Web Application Security Trends Report released today by Web application security firm Cenzic, the big Web browser companies seem to be paying very close attention to security, with many proactively seeking vulnerabilities by offering rewards or “bounties,” and seem to be efficient at fixing vulnerabilities in a timely manner.
Cenzic’s report revealed that Google’s Chrome browser had the most vulnerabilities detected — 89 – likely due to the aggressive bounty program which offers cash to those who discover vulnerabilities. In the end, Google fixed 88 of these vulnerabilities quickly and efficiently.
Similarly, Mozilla Firefox had 65 vulnerabilities detected and fixed 61 in a timely manner. Apple’s Safari fixed 39 of 41. Microsoft fixed 26 of 32 for Internet Explorer, and Opera fixed 27 of 29 vulnerabilities discovered.
“To give credit where it’s due, all browser companies have done a great job in taking proactive steps toward better security,” said Mandeep Khera, chief marketing officer at Cenzic.
But despite the progress being made with security on the Web browser front, the report points out that that Web application security seems to be seriously lacking.
The report reveals widespread Web application vulnerabilities, with 2,155 discovered — a third of which have both no known solution and an exploit code publicly available.
Cross Site Scripting (XSS) and SQL Injection dominated the list of published Web vulnerabilities in Commercial Off The Shelf (COTS) software, accounting for 54 percent of the total number of Web vulnerabilities in the second half of 2010.
“With all the publicity, education, and known attacks that have exploited XSS and SQL vulnerabilities, it is astounding that companies still haven’t plugged these threats,” said Khera. “Cybercriminals are well aware of these weaknesses, and worse still, with the amount of exploit codes publicly available, even a hacker with a modicum of talent has ability to cause tremendous damage. With an average security breach costing companies millions of dollars, lack of precaution is a daily risk that must be taken seriously,” Khera added.
Cenzic’s reports are created by compiling data from a variety of sources including data from its own SaaS clients, Mitre, OWASP, SANS, Secunia, Security Tracker, Symantec, and US-CERT.
You can download a PDF version of Cenzic’s Q3-Q4 2010 Trend Report here.