Saturday, May 8, 2010

Vulnerable Sites Database; plus which web language is most vulnerable

Vulnerable Sites Database

Yikes! Just what we need out there. An online database of sites that are vulnerable to web attacks. I hope my sites are never listed in there. Now that the database is in place, and people can sign up and add sites to the list, the ever-growing target on our businesses gets bigger. It is just a matter of time before some of our sites are there. Sigh.

Now, more than ever, we need to educate ourselves, our bosses, and other developers to the dangers we build into our sites every single day. We need to be diligent and persistent. The dark side of the web is making it easier and easier to exploit sites...the info is right there for the taking by anyone with a malicious idea.

Interesting note on that database site. On the right side of the screen is a tag cloud and what are the two biggest phrases in it? If you have to even look at this answer you need to educate yourself quite a bit and need to do it now -- XSS and SQL Injection. In the words of the band Miracle Legion, "Well, surprise surprise surprise".

Are your sites safe? Are you actively coding against these two attacks?

Web programming language security comparison

On another note, there was a recent WhiteHat Security study about which web programming languages have the most vulnerabilities and are the safest, etc. I don't promote one over the other, as it would be like promoting one hammer over another when building a house, but since this blog is all about securing ASP.NET sites, I will focus on those results.

The article at DarkReading.com is pretty eye-opening. I mean, we know ASP.NET has some helpful protection right out of the box, but I had no idea how vulnerable the sites are that are being built in the other languages. Here is a quick summary of points that stuck out to me:
  • "WhiteHat found that Perl, Cold Fusion, JSP, and PHP were most likely to contain at least one serious vulnerability -- 80 percent of the time, according to the report. Strut has the lowest number of existing vulnerabilities in a website, at 5.5 percent, followed by Microsoft's .NET at 6.2 percent." (80%??? 8 out of 10 PHP sites? Ow!)

  • "... more than eight in 10 Perl-based websites harbor cross-site scripting (XSS) bugs versus half for .NET, which was the lowest rate." (I still think HALF being the lowest rate is pretty scary...come on ASP.NET devs, button those up -- it is easy!)

  • "Cold Fusion had the most SQL injection flaws -- nearly 40 percent of the websites had them -- and Struts and JSP had the lowest, with 14 percent and 15 percent, respectively..." (Again I think 14% being the lowest for having SQL Injection flaws is too high. That is 1 in 7 sites built with Struts or JSP. Everyone else is higher! More than 1 in 3 for Cold Fusion sites...ow.)
These were eye opening for sure. It is good that .NET fares so "well" in this, but look at those numbers. Honestly, this blog is about waking up ALL web developers, taking the practical part to the .NET folks.

Talk to your .NET hater friends out there!! Perl, Cold Fusion, JSP, etc...they all have vulnerabilities in their sites, up to 80% of the sites as noted in the first bullet. So talk to them to educate them, and close your .NET holes while you're at it so they can't point the finger back at your sites too. ;-)

See the entire report for details.

No comments:

Post a Comment