Late last week the Web Application Security Consortium (WASC) released statistics on web application vulnerabilities for 2008. The site compiled statistics obtained from eight web security groups including HP and Veracode. The groups evaluated 12186 and discovered 97554 vulnerabilities of varying threat levels. Approximately 13% of the sites were compromised using automated software. The vulnerabilities that were found using automated testing included brute force, os commanding and SQL injection. Cross-site scripting, information leakage, SQL injection and HTTP response splitting were the most common vulnerabilities found. The fact that many vulnerabilities can be detected with automated tools means that asset owners should be able to use them to discover a decent amount of vulnerabilities on devices on their network.  Automated testing may also be useful when the source code is obfuscated or inaccessible.

The WASC report states that white box testing dramatically increased the probability to discover high level vulnerabilities. PCS vendors should have white box testing performed on the web applications they are now including with the devices they are shipping.  Depending on the level of access to the device, asset owners should also be able to do some white box testing on their devices.  While the asset owners may not be able to alter the code to prevent the vulnerabilities, other security measures can be implemented to help reduce the exposure.

Side note: SANS ISC has been featuring a port a day for the month of October and today’s port is Modbus.  There is a little background on the diary page but they link back to the Scadapedia for more information.