Earlier this year, the NTA Monitor’s Web Application Security Report 2009 analysed the results of 12 months of web application security testing. A large 27% of all online applications tested contained at least one high-risk vulnerability (an increase from 17% in the previous year).

Then in September the SANS Institute released its 2009 report on the top cyber security risks. This includes vulnerability data from 9,000,000 systems as well as additional analysis by the Internet Storm Center. The Institute found that (a) online attacks have substantially increased; and (b) 60% occur on web applications.

"Enterprises focus on attacks they can detect…[and] are expecting," says Johannes Ullrich, CTO of the SANS Internet Storm Center, who also contributed to the report. "But they are missing a lot."

During the same period, other security researchers have identified a dramatic increase in a particular type of attack on online applications and public websites: SQL injection.

SQL injection is a well-know attack vector that takes advantage of inconsistent security configuration in an application or web server to allow a hacker to conduct a database query and run code on the target system.

This code commonly enables the hacker to get access to the database’s confidential information and potentially gain root server access. They then have complete control of the target environment and all systems (including websites) that reside therein, and are then able to use this control to achieve their objectives.

Delivering a keynote security speech at July’s (ISC)2 conference in London, IBM ISS technical manager James Rendell, claimed that there had been an ‘absolute explosion’ in SQL injections.

Then in August, Mary Landesman, a senior security researcher at ScanSafe announced that up to 130,000 websites had been compromised (at that stage) through a program of mass SQL injections. This included a host of reputable public websites.

Since August, a large number of security reports have highlighted the high number of vulnerabilities in websites and online applications as well as the growing incidence of attacks on public websites, principally using SQL injection.

These trends are very distrubing and highlight the heightened threat facing organisations that operate public-facing websites that support sensitive links/information.