News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010

2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)

2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo

2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse

2/21/2010 to 2/24/2010
Las Vegas
IBM

HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> OPINIONS

Most Read Latest News Blog Resources

Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Syncfusion announces component suite for .NET 4
Essential Studio 2010 has business intelligence, reporting and UI controls, ready for .NET...

Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.

The Agile Heartbeat When an organization goes Agile, who’s the most affected? Programmers? Testers? Stakeholde...

Open Source Community Practices in the Enterprise In the enterprise, open source software is recognized for the cost savings it delivers whe...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

The Rise of Cross-Site Scripting

By Brian Chess

November 15, 2006 —

Word is that next year Toyota will sell more vehicles than General Motors. This really shouldn’t come as too much of a surprise; Toyota has been turning a larger profit than GM for quite a while now. Still, it will be the first time in 80 years that GM hasn’t been on top. The world is not what it once was.

It turns out that something very similar has happened with software vulnerabilities.

Since the dawn of the Internet, the buffer overflow has been king. The Morris worm (the first worm seen on the Internet) exploited a buffer overflow in sendmail as one of its methods of propagation, and buffer overflows have dominated the vulnerability landscape ever since.

Well, until 2005 anyway. Steve Christey, one of the maintainers of the CVE database (cve.mitre.org), reports that in 2005, the most-reported vulnerability was cross-site scripting. Not only that, but buffer overflow wasn’t even in second place. The lineup in 2005 looked like this:

1. Cross-Site Scripting (16.0 percent)

2. SQL Injection (12.9 percent)

3. Buffer Overflow (9.8 percent)

2006 is shaping up to be even worse for the venerable buffer overflow; it’s on track to fall out of the top three:

1. Cross-Site Scripting (21.5 percent)

2. SQL Injection (14.0 percent)

3. PHP remote includes (9.5 percent)

Why such a dramatic change in software vulnerabilities? There are four things going on.

First, Web vulnerabilities are easy to find. Firewalls and intrusion detection systems don’t usually look at Web traffic, and most Web sites are quite content to allow you to poke at them until you’ve found the vulnerability you want. Attackers use tools to automatically scan sites for vulnerabilities.

Second, Web vulnerabilities are easier to exploit. In most cases, it’s a lot easier to develop a working exploit for a Web vulnerability than it is to write some robust shell code to exploit a buffer overflow.

Third, there are valuable things on the Web. Every day there are more sites, more services, more transactions and more traffic on the Web. You could find plenty of cross-site scripting vulnerabilities in 1998 too, but there wasn’t so much to gain by exploiting them. There weren’t enough sites holding valuable data, and there weren’t enough visitors to make real money exploiting Web vulnerabilities.

Finally, it takes time and concerted effort to write Web applications that don’t contain vulnerabilities. PHP makes it easy to accidentally allow cross-site scripting, SQL injection or remote attacks. Languages such as Java and C# make buffer overflow a vanishing possibility, and they even provide all the tools you need to avoid SQL injection, but they still make cross-site scripting hard to avoid.

To make matters worse, we still haven’t made progress toward eliminating buffer overflows. Christey’s data shows that the number of buffer overflow reports is holding steady at between 250 and 450 per year. Web vulnerabilities, on the other hand, have skyrocketed beginning in 2003. (In total, there were three times as many vulnerabilities reported in 2005 as there were in 2001.)

If there’s one lesson to be taken away from this data, it’s this: You can no longer write a Web application without thinking about security. Programmers need to understand that their code isn’t complete until it’s secure.

Brian Chess is chief scientist at Fortify Software.

Share this link: http://www.sdtimes.com/link/29764

API developers prepare for a rise in Web app programming use Believing that more enterprises will adopt Web APIs, business leaders suggest that companies adopt their own APIs

Open-source uptake on the rise, according to Forrester The economy is forcing business to consider less-costly alternatives in software implementation, fueling a growth in open-source adoption. Surveys from Black Duck back up Forrester's findings.

Guest View: The rise of IT Specialists In the old days, those who worked in IT were separated from the business end. But as the structure of IT has changed, so have the roles within IT, and it is now necessary for businesspeople and IT workers to work as one.

Add comment

Name*
Email*
Country

Comment
Preview

The Rise of Cross-Site Scripting

By Brian Chess

Related Articles

Add comment