HP: Critical vulnerabilities on the decline, while total number of vulnerabilities on the rise

Security holes in mobile apps have increased 787 percent over last 5 years

The number of critical security vulnerabilities is on the decline, but the total number of vulnerabilities is on the rise, according to a security report issued Tuesday by HP (Nasdaq: HPQ).

Critical vulnerabilities, defined as those enabling a hacker to gain control of a computer or network, made up 20 percent of total vulnerabilities scored by the Open Source Vulnerability Database, down from 23 percent in 2011, according to the HP 2012 Cyber Risk Report.

The total number of vulnerabilities, both critical and non-critical, increased 19 percent in 2012 compared with 2011, according to the report.

"Vulnerabilities can impact every level of enterprise infrastructure from hardware, to network, to software (both old and new). These vulnerabilities are the gateway that malicious actors use to circumvent security protections and steal or alter data, deny access, and compromise critical business processes," the report warned.

Mobile devices and applications are becoming increasingly vulnerable to hackers, with the number of security holes in mobile apps increasing 787 percent over the last five years, according to the report. As the BYOD trend accelerates, these vulnerabilities are making their way into the enterprise.

Web applications are a significant source of vulnerabilities, such as SQL injection, cross-site scripting, cross-site request forgery and remote file includes attacks. Cross-site scripting, in particular, remains a widespread issue, with around 44 percent of web applications in HP's data set having this vulnerability.

"The security risk to organizations remains high," warned Mark Painter, product marketing manager at HP Fortify. "Web applications remain a very viable and popular attack vector. Organizations and developers have been slow to respond to long-standing issues," Painter told FierceEnterpriseCommunications.

Painter said less than 1 percent of 100,000 URLs examined by HP used a standard mitigation technique to prevent cross-frame scripting attacks. "This is significant that even after 10 years these sites are not preventing these attacks… It's not rocket surgery to fix this vulnerability," he added.

At the same time, the number of vulnerabilities in industrial control systems increased 768 percent from 2008 to 2012, reaching 191. Industrial control systems run power plants, oil pipelines, electricity grids and other critical automated systems.

In addition, HP launched on Tuesday the HP Security Research (HPSR) organization designed to help enterprises understand the security threat landscape and build defenses against attack. The organization will provide security intelligence through published reports, threat briefings and security products.

The HPSR will consolidate the work at existing HP research groups, including HP DVLabs, a research lab focused on vulnerability analysis, and HP Fortify Software Security Research, as well as the Zero Day Initiative, which focuses on identifying software flaws that have led to security breaches.

"We are starting to reach out to end users directly," explained Jacob West, chief technology officer of HP Enterprise Security. HPSR plans to hold bi-weekly threat briefings that include an audio podcast and report about security developments of the previous two weeks.

"We are going to be a great partner to enterprises that want to invest more in security intelligence; they can share some data with us in exchange for aggregate community data that we have," West related.

Enterprises and web developers continue to drag their feet on fixing security vulnerabilities that have been common for years. This helps explains the increase in the number of successful attacks. It is time for companies and developers to take security seriously and fix these known security holes.

For more:
- see the HP report (reg. req.)
- check out the HPSR release

Related articles:
HP ships 14-inch Chromebook
IBM, HP have different approaches to hardware, software