PALO ALTO, Calif., April 2 /PRNewswire/ -- Fortify Software, the
leading provider of security products that help companies identify, manage
and remediate software vulnerabilities, today announced that its Security
Research Group has documented the first major vulnerability associated
Hijacking, the vulnerability allows an attacker to steal critical data by
emulating unsuspecting users. To combat this issue, Fortify has released an
in-depth security advisory that details this vulnerability, how enterprises
can determine if they are vulnerable and how they can fix the issue. A copy
of this advisory can be downloaded at www.fortifysoftware.com/advisory.jsp.
Fortify's work, the 12 most popular AJAX frameworks were analyzed,
including frameworks from Google, Microsoft, Yahoo! and the open source
community. Fortify determined that among them, only Direct Web Remoting
rest of the frameworks do not explicitly provide any protection and do not
mention any security concerns in their documentations. Even if an
application does not use any of the frameworks listed above, it may be
transfer format for sensitive data.
"With recent surveys from McKinsey indicating that almost 75 percent of
enterprises plan on increasing their investment in Web 2.0 technologies, it
is clear that we need to address the issue now," said Brian Chess, Fortify
Software's co-founder and Chief Scientist. "Unlike vulnerabilities that are
tied to a specific application or operating system, there is no single
vendor to which this issue can be reported and resolved. In fact, many rich
Web applications don't use any framework at all. As a result, we need to
educate software developers about the risk that Web 2.0 brings."
Fortify contacted a large group of security researchers, enterprises
deploying Web 2.0, industry analysts, software developers and framework
architects to determine the best course of action. The general consensus
was that Fortify needed to inform the industry in a timely fashion while
ensuring a fix was available. Fortify's Web 2.0 Security Advisory was
written to explain the issues to the business community as well as help
developers fix the problem at the source code level.
"There are some worrying estimates of the percentage of websites with
vulnerabilities, so I think it's good for the industry to focus on greater
security, particularly in understanding the risks," said Joe Walker, CEO of
Getahead Ltd. and a developer and consultant working on advanced web
development techniques like AJAX. "I'm pleased to see that Fortify is
spending time to explain the problem and investigate the issues."
Although Web 2.0 functionality has already seen mainstream use by
consumers (e.g. social networking sites like MySpace), enterprises are
recognizing the growing value of pushing applications to the Web, and are
rapidly deploying frameworks to facilitate quick access to information,
improve application performance and encourage collaboration. According to a
March 2007 McKinsey survey, the industries most likely to adopt Web 2.0
technologies are retail, high tech, telecommunications, finance and
The vulnerability opens businesses up to malware that can allow an
attacker to pose as the user accessing the Web 2.0 application. Once the
attacker successfully emulates the victim, they can read sensitive data
a transport mechanism. These attackers can then buy and sell goods, trade
stocks, adjust security settings for an enterprise network or access and
manipulate customer, inventory and financial information.
Any framework or application that meets these criteria may be at risk
frameworks and applications should take immediate measures to prevent the
vulnerability. Fortify Software advocates a two-pronged approach that
allows applications to decline malicious requests and prevent attackers
Security researchers like Jeremiah Grossman have already demonstrated
the viability of this new class of vulnerability in specific instances.
"New technology often leads to new risks and opens unforeseen avenues of
malicious attack. Once understood, developers need to ensure the necessary
safeguards are in place when they break new ground," said Grossman, CTO of
WhiteHat Security. "Those responsible for the security of Web 2.0
deployments need to take this issue seriously and implement the steps
necessary to resolve the issue before the risk results in an incident."
About Fortify Software, Inc.
Fortify Software products protect companies from the threats posed by
security flaws in business-critical software applications. Its software
security products -- Fortify SCA, Fortify Manager, Fortify Tracer and
Fortify Defender -- drive down costs and security risks by automating key
processes of developing and deploying secure applications. Fortify
Software's customers include government agencies and FORTUNE 500 companies
in a wide variety of industries, such as financial services, healthcare,
e-commerce, telecommunications, publishing, insurance, systems integration
and information management. The company is backed by a world-class team of
software security experts and partners. More information is available at
SOURCE Fortify Software