Web applications are the biggest security blindspot out there, according to a new analysis of real-world threats.Compiled over a six-month period by Fortify Software using data from customers of its Application Defense system, the report notes the lack of data on Web application issues when compared with established attacks such as “viruses, network-based attacks, public vulnerability announcements and spam/phishing schemes.”At the head of the list of application threats uncovered by Fortify are automated “bots storms,” which on average accounted for 50 percent to 70 percent of the attacks on Web applications found by the study. These are able to trawl randomly for known and unknown vulnerabilities without the need for human intervention, hence their growing popularity.Bots, of course, are a nightmare to stop because they direct attacks from thousands or even millions of PCs located across the globe in multiple domains. The phenomenon of “Google hacking” accounted for a further 20 percent of attacks, whereby hackers can glean vulnerability data on specific websites by analyzing Google’s search results using software tools. Recorded at lower but still significant levels were even more dangerous forms of attacks such as cross-site scripting, SQL injection and standard buffer overflow compromises based on holes in specific applications. “It’s critical that businesses understand the risk exposure of their applications and take the necessary steps to avoid dangerous security attacks,” said Fortify’s Brian Chess. “There is a wealth of research covering viruses, network-based attacks, public vulnerability announcements, spam and phishing schemes, but very little focusing on Web-enabled applications that sit beyond the reach of firewalls and traditional network security.”Some operating systems—the report fingers a variant of Free BSD—aid the anonymity of the Internet, allowing proxying to be conducted without the need for extensive expertise. This means that criminals can hide their activities using proxies and encryption, even when carrying out hacks manually. This renders some of the country origination data for Web application attacks pretty useless. The United States comes out in the number-one spot in Fortify’s analysis, with China in second place and Poland in third. But if criminals are using anonymizing tools, the bulk of attacks could be coming from just about anywhere and everywhere.-John E. Dunn, Techworld.com (London)Keep checking in at our CSO Security Feed page for updated news coverage. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe