Networks riddled with vulnerabilities

Security experts have warned that there is at least one vulnerability in the network layer of every corporate network.

The research also found that almost all networks have at least one vulnerability in the application layer.

Security firm Orthus this week published an analysis of 100 in-depth security tests conducted over the past five years,

The firm claims that this provides an insight into how security weaknesses and attack vectors have evolved, and how organisations' defences have changed in response.

The analysis looked at the results from 100 baseline security testing engagements delivered since the beginning of 2004 across a range of industry sectors including banking, insurance, finance, retail, manufacturing, transport, utilities, health and education.

The study found that 100 per cent of tests found at least one security vulnerability at the network level, and 97 per cent of tests found at least one vulnerability at the application level.

Orthus said that network layer weaknesses have come down from an average of 14 per test in 2004 to an average of six in tests delivered during 2008, a reduction of 57 per cent.

But application layer weaknesses have increased from eight per test in 2004 to 12 per test in 2008, a 50 per cent rise.

Orthus said that the analysis highlights an improvement in the way organisations are hardening and configuring network devices and servers prior to use in production environments.

But some vulnerabilities are inevitably still present and more than half of these are attributable to weak operational security processes, in particular inadequate patch management programmes.

SQL injection and other SQL weaknesses increased 25 per cent, cross-site scripting increased 23 per cent, and input validation issues increased 15 per cent.

SSL related issues went up by seven per cent, authentication related issues increased nine per cent and information leakage increased five per cent.

Richard Hollis, managing director of Orthus, said: "Security teams are getting better at eradicating network and operating system related issues, but the application layer is less well addressed.

"Companies need to adopt secure coding guidelines as part of a comprehensive secure software development lifecycle.

"It can be done. The three per cent of applications that were extremely well-written and configured when tested are proof of that."

But Hollis added that organisations that outsource web application development in particular should provide security standards to their partners and insist on periodic independent code reviews as well as application testing of every major release.

"Issues fixed in one release have a habit of reappearing in the next," he said.