SOURCE: Cenzic


March 02, 2010 09:33 ET

Cenzic Web Application Security Trends Report Reveals 90 Percent of Web Applications Vulnerable, Adobe One of the Most Vulnerable

Social Networking Attacks, Cyber Terrorism, Assault on Banks Common Themes

SAN FRANCISCO, CA--(Marketwire - March 2, 2010) -  RSA 2010 -- Cenzic Inc., the leading provider of Web application security solutions, today released its report revealing the most prominent types of Web application vulnerabilities for the second half of 2009. The report, which regularly gauges insecurities on the Web, finds that slow progress is being made to increase awareness, but commonly used applications are still ridden with flaws. Specifically, the report identified more than 2,165 total vulnerabilities in commercial applications, which is 82 percent of the total published vulnerabilities of 2,650.

Overall, the most common published exploits on Web applications continue to be SQL Injection and Cross Site Scripting (XSS) vulnerabilities, which account for 19 percent and 16 percent of all Web attacks, respectively. Attacks on several Adobe applications, including Flash, ColdFusion and Reader, led the report and earned Adobe the name "The Year's Most Hacked Software." Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities at 44 percent, however Mozilla also had the most fixes, with only 12 percent of its vulnerabilities left unpatched. Microsoft Internet Explorer, named the second most vulnerable browser with 25 percent of all browser vulnerabilities, showed 36 percent were unpatched.

"Time after time, year after year, we see SQL Injection, XSS, information leaks, and session management as the most commonly used Web attacks, and it is mind boggling to see that more than 90 percent of Web applications continue to be vulnerable," said Mandeep Khera, chief marketing officer at Cenzic. "The solutions are available. Organizations that would like to protect themselves no longer need dedicated IT staff or experts. With managed service offerings and the launch of Cenzic's ClickToSecure Cloud application, it's very easy to get a jump start and begin securing Web applications. We have to overcome this insanity."

Findings from Cenzic's Q3-Q4 2009 Trends Report point to the continued growth of attacks through Web applications. Web vulnerabilities continue to make up the largest percentage of the reported vulnerability volume, with roughly 82 percent of all vulnerabilities resulting from the Web.

Cenzic Application Security Trends Report Q3-Q4 2009 Findings

The report, which illustrates trends among thousands of corporations, financial institutions and government agencies, incorporates findings from Cenzic ClickToSecure, Cenzic's leading-edge managed security assessment (SaaS), and research from Cenzic Intelligent Analysis (CIA) Labs. Some of the key findings include:

  • 82 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX, which is a significant increase from earlier in the year.
  • Of Web browser vulnerabilities Firefox had the largest percentage, at 44 percent but the browser also had the best patch ratio. Internet Explorer vulnerabilities came in at 25 percent.
  • Adobe, Sun and HP continue to be among the Top 10 vendors having the most severe vulnerabilities for the second half of 2009.

To download a PDF version of the Q3-Q4 2009 Trend Report, please visit:

For a hard copy of the full report you can also visit Cenzic at the RSA Conference in San Francisco from March 1st through March 5th, at booth 2624.

About Cenzic
Cenzic, a trusted provider of software and SaaS security products, helps organizations secure their websites against hacker attacks. Cenzic focuses on Web Application Security, automating the process of identifying security defects at the Web application level where more than 75 percent of hacker attacks occur. Our dynamic, black box Web application testing is built on a non-signature-based technology that finds more "real" vulnerabilities as well as provides vulnerability management, risk management, and compliance for regulations and industry standards such as PCI. Cenzic solutions help secure the websites of numerous Fortune 1000 companies, all major security companies, leading government agencies and universities, and hundreds of SMB companies -- overall helping to secure trillions of dollars of e-commerce transactions. The Cenzic solution suite fits the needs of companies across all industries, from testing remotely via our managed service (Cenzic ClickToSecure®), to a full enterprise software product (Cenzic Hailstorm® Enterprise ARC™) for managing security risks across the entire company.

Contact Information

  • Contact:
    Tami Casey
    Kulesa Faul for Cenzic
    Email Contact