THIS SUMMER, an e-mail worm called Yammaner hit Yahoo Mail, a free Web-based e-mail service. The worm, written in JavaScript, tried to send itself to other Yahoo Mail contacts. A quick response from Yahoo ensured that the worm remained a low risk, but it was evidence that online software applications are likely to come under attack as they become increasingly popular.

Samir Kapuria, principal security strategist with Symantec Global Security Consulting, says that attackers “are now more interested in targets of choice rather than targets of chance,” meaning they’re more motivated by profit than bragging rights. Online applications, known variously as Web 2.0, software on demand, and software as a service (SaaS), are good targets, he says.

Web application vulnerabilities, such as the one that attackers tried to exploit with Yammaner, have serious security implications for SaaS, and these are on the rise, Kapuria says. In 2005, more than 3,700 vulnerabilities were identified (a 40 percent increase from 2004), and 69 percent of these affect Web applications.

Since SaaS relies on a Web browser for user access, vulnerabilities in browsers are also dangerous. Kapuria says that during the last half of 2005, 24 Internet Explorer and 17 Firefox vulnerabilities were documented. “The average severity rating for both the Internet Explorer and Firefox vulnerabilities was ‘high,’ meaning these vulnerabilities, if exploited, could result in the compromise of an entire system,” he says.

“A growing number of organizations are adopting on-demand applications [such] as customer relationship-management implementations, human resources capabilities, and financial management services such as payroll and accounting,” Kapuria says. “This represents a wealth of information that malicious users might leverage for financial gain.”

He points out that the common limited-time-free offers are a boon for criminals. “This provides potential attackers an opportunity to work with the service and try to determine where it is vulnerable,” he says. In other words, attackers are allowed inside a normally protected perimeter to do reconnaissance.

Kapuria reminds users that the security of their information depends in large part on the security of the service provider and urges them to shun providers “that offer little in the way of authentication or validation. They can also keep their Web browsers, operating systems, and other software patched.”