Well-known security flaws go ignored

Failure to implement effective security policies is leaving the majority of companies open to surprisingly common vulnerabilities, and is even threatening the security of the "entire internet", analysts warned last week.

According to the Open Web Application Security Project (OWASP), which has published a list of the most dangerous internet application security problems, the greatest threat comes from ignoring exploits that are well understood and well documented.

Many of the problems on the OWASP's list can be executed by inexperienced 'script kiddies' using automated cracking tools.

The Washington-based open source project was surprised to find that firms were not deploying countermeasures against well known threats.

"The security issues raised here are not new. In fact, some have been well understood for decades," he said.

"Yet for some reason, major software development projects are still making these mistakes and jeopardising not only their customers' security, but the security of the entire internet."

This view was endorsed by Dr Charles Pflegger, master security architect at Cable and Wireless.

"Flaws continue to be found in applications, even after nearly 50 years of programming experience," he explained. "Worse, the same kinds of flaws appear over and over again.

"This failure to learn from our mistakes and those of our parents' generation, creates far too many vulnerabilities for potential attack. It is no wonder that attacks against applications are on the rise."

The OWASP highlighted the danger of web applications which are not configured to recognise malicious code encapsulated in HTTP requests that can "sail past firewalls, filters, platform hardening, Secure Socket Layer and intrusion detection systems without notice".

While welcoming the report as an attempt to raise awareness of IT security issues, Quocirca strategy analyst Clive Longbottom pointed out that highlighting technical problems could fight only half the battle.

"Just raising a list of problems in isolation will only provide a recipe for fear, uncertainty and dread," he warned.

"Over 95 per cent of UK companies are not large enough to employ dedicated IT security professionals. As a result most will not understand the difference between a command injection flaw and a cross-site scripting exploit.

"In order to better serve this majority of companies the security market needs to stop the techno-babble of stringing acronyms together to describe vulnerabilities.

"They must move away from the technology for its own sake and start offering understandable products and services to deal effectively with these common vulnerabilities."