Static Source Code Analysis for Web Applications, the Case

Trends and Findings

Over the last few years, we have identified a number of common features and trends in system security, malicious attacks, and general web application testing. Of these, a number of the security testing issues are of some interest and can be addressed over time through a targeted approach.

In the last 18 months we have performed incident response and incident management for a relatively significant number of large clients. Through this, it is apparent that approximately 50% of the compromises that have taken place have done so through application level attacks. In general terms, the root cause of the attacks were:

1. Vendor provided software (including both off the shelf and custom) having a number of insecurities and software vulnerabilities which the customer was unaware of

2. A single misconfiguration resulting in a full compromise indicating a lack of a defence in depth strategy and implementation

Other points we have observed are that:

Server and Operating System level attacks are tending to plateau, with larger companies significantly worse than smaller companies in managing both vulnerabilities and insecurities.

There were relatively few