HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> OPINIONS

Most Read Latest News Blog Resources

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

OSBC focus turns to best practices for open-source adoption
Businesses are no longer asking why they should adopt, but how do they use open source leg...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

The Rise of Cross-Site Scripting

By Brian Chess

November 15, 2006 —

Word is that next year Toyota will sell more vehicles than General Motors. This really shouldn’t come as too much of a surprise; Toyota has been turning a larger profit than GM for quite a while now. Still, it will be the first time in 80 years that GM hasn’t been on top. The world is not what it once was.

It turns out that something very similar has happened with software vulnerabilities.

Since the dawn of the Internet, the buffer overflow has been king. The Morris worm (the first worm seen on the Internet) exploited a buffer overflow in sendmail as one of its methods of propagation, and buffer overflows have dominated the vulnerability landscape ever since.

Well, until 2005 anyway. Steve Christey, one of the maintainers of the CVE database (cve.mitre.org), reports that in 2005, the most-reported vulnerability was cross-site scripting. Not only that, but buffer overflow wasn’t even in second place. The lineup in 2005 looked like this:

1. Cross-Site Scripting (16.0 percent)

2. SQL Injection (12.9 percent)

3. Buffer Overflow (9.8 percent)

2006 is shaping up to be even worse for the venerable buffer overflow; it’s on track to fall out of the top three:

1. Cross-Site Scripting (21.5 percent)

2. SQL Injection (14.0 percent)

3. PHP remote includes (9.5 percent)

Why such a dramatic change in software vulnerabilities? There are four things going on.

First, Web vulnerabilities are easy to find. Firewalls and intrusion detection systems don’t usually look at Web traffic, and most Web sites are quite content to allow you to poke at them until you’ve found the vulnerability you want. Attackers use tools to automatically scan sites for vulnerabilities.

Second, Web vulnerabilities are easier to exploit. In most cases, it’s a lot easier to develop a working exploit for a Web vulnerability than it is to write some robust shell code to exploit a buffer overflow.

Third, there are valuable things on the Web. Every day there are more sites, more services, more transactions and more traffic on the Web. You could find plenty of cross-site scripting vulnerabilities in 1998 too, but there wasn’t so much to gain by exploiting them. There weren’t enough sites holding valuable data, and there weren’t enough visitors to make real money exploiting Web vulnerabilities.

Finally, it takes time and concerted effort to write Web applications that don’t contain vulnerabilities. PHP makes it easy to accidentally allow cross-site scripting, SQL injection or remote attacks. Languages such as Java and C# make buffer overflow a vanishing possibility, and they even provide all the tools you need to avoid SQL injection, but they still make cross-site scripting hard to avoid.

To make matters worse, we still haven’t made progress toward eliminating buffer overflows. Christey’s data shows that the number of buffer overflow reports is holding steady at between 250 and 450 per year. Web vulnerabilities, on the other hand, have skyrocketed beginning in 2003. (In total, there were three times as many vulnerabilities reported in 2005 as there were in 2001.)

If there’s one lesson to be taken away from this data, it’s this: You can no longer write a Web application without thinking about security. Programmers need to understand that their code isn’t complete until it’s secure.

Brian Chess is chief scientist at Fortify Software.

Share this link: http://www.sdtimes.com/link/29764

API developers prepare for a rise in Web app programming use Believing that more enterprises will adopt Web APIs, business leaders suggest that companies adopt their own APIs

Open-source uptake on the rise, according to Forrester The economy is forcing business to consider less-costly alternatives in software implementation, fueling a growth in open-source adoption. Surveys from Black Duck back up Forrester's findings.

Guest View: The rise of IT Specialists In the old days, those who worked in IT were separated from the business end. But as the structure of IT has changed, so have the roles within IT, and it is now necessary for businesspeople and IT workers to work as one.

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST