Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Web Browsers Improve on Security, Web Applications Unacceptably Vulnerable

Aggressive initiatives by the makers of popular Web browsers including Google, Microsoft, and Mozilla to improve the security of their Web browsers appear to be paying off.

According to the Q3-Q4 Web Application Security Trends Report released today by Web application security firm Cenzic, the big Web browser companies seem to be paying very close attention to security, with many proactively seeking vulnerabilities by offering rewards or “bounties,” and seem to be efficient at fixing vulnerabilities in a timely manner.

Aggressive initiatives by the makers of popular Web browsers including Google, Microsoft, and Mozilla to improve the security of their Web browsers appear to be paying off.

According to the Q3-Q4 Web Application Security Trends Report released today by Web application security firm Cenzic, the big Web browser companies seem to be paying very close attention to security, with many proactively seeking vulnerabilities by offering rewards or “bounties,” and seem to be efficient at fixing vulnerabilities in a timely manner.

Cenzic’s report revealed that Google’s Chrome browser had the most vulnerabilities detected — 89 – likely due to the aggressive bounty program which offers cash to those who discover vulnerabilities. In the end, Google fixed 88 of these vulnerabilities quickly and efficiently.

Similarly, Mozilla Firefox had 65 vulnerabilities detected and fixed 61 in a timely manner. Apple’s Safari fixed 39 of 41. Microsoft fixed 26 of 32 for Internet Explorer, and Opera fixed 27 of 29 vulnerabilities discovered.

“To give credit where it’s due, all browser companies have done a great job in taking proactive steps toward better security,” said Mandeep Khera, chief marketing officer at Cenzic.

But despite the progress being made with security on the Web browser front, the report points out that that Web application security seems to be seriously lacking.

The report reveals widespread Web application vulnerabilities, with 2,155 discovered — a third of which have both no known solution and an exploit code publicly available.

Cross Site Scripting (XSS) and SQL Injection dominated the list of published Web vulnerabilities in Commercial Off The Shelf (COTS) software, accounting for 54 percent of the total number of Web vulnerabilities in the second half of 2010.

Advertisement. Scroll to continue reading.

“With all the publicity, education, and known attacks that have exploited XSS and SQL vulnerabilities, it is astounding that companies still haven’t plugged these threats,” said Khera. “Cybercriminals are well aware of these weaknesses, and worse still, with the amount of exploit codes publicly available, even a hacker with a modicum of talent has ability to cause tremendous damage. With an average security breach costing companies millions of dollars, lack of precaution is a daily risk that must be taken seriously,” Khera added.

Cenzic’s reports are created by compiling data from a variety of sources including data from its own SaaS clients, Mitre, OWASP, SANS, Secunia, Security Tracker, Symantec, and US-CERT.

You can download a PDF version of Cenzic’s Q3-Q4 2010 Trend Report here.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Mario Duarte, formerly head of security at Snowflake, has joined Aembit as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.