In a study by Joanne Kuzma (European digital libraries: web security vulnerabilities. Library Hi Tech, 28(3), 2010, pp. 402-413) a web vulnerability testing tool was used to analyse 80 European library sites in four countries to determine how many security vulnerabilities each had and what were the most common types of problems.
Her analysis showed that the majority of the libraries surveyed had serious security flaws in their web applications. Indeed, the UK accounted for the highest proportion of high level (critical vulnerabilities) and medium level (moderate ranked problems that could pose some risk to web applications) security flaws.
A report by Cenzic (Web application security trends report Q3-Q4,2008) found that nearly 80% of web-related flaws were caused by web application vulnerabilities:
- Cross site scripting (XSS)
- Denial of service
- Structured query language
In the WhiteHat security “web applications security statistics report 2016” https://info.whitehatsec.com/rs/675-YBI-674/images/WH-2016-Stats-Report-FINAL.pdf they list vulnerability likelihood by class (in descending order of likelihood). The top ones they listed for 2016 were:
- Insufficient transport layer protection (Not all traffic flowing between two endpoints is properly secured, which makes it possible for attackers to perform man-in-the-middle attacks)
- Information leakage
- Cross site scripting
- Content spoofing
- Brute force
- Cross site request forgery
Kunza holds that systems librarians should monitor security alerts from CERT and immediately install software patches and update their software to defend against attacks.
But should responsibility be placed solely on the systems librarian? It is all very well for librarians to hold privacy as one of their core values if they fail to take account of web security risks, whether through lack of awareness or some other reason.