All applications are vulnerable, claims shock security report
Downright frightening figures on web application vulnerabilities paint damning picture of security trends.
New research has shone a light on web application security, and the results are pretty shocking - indeed, they could hardly be worse. According to a research report, testers found vulnerabilities in an impressive 100 per cent of web applications tested.
Only six per cent of web applications were free of high-severity vulnerabilities, while 85 per cent of the web applications had vulnerabilities that allow attacks against users.
The report, Web Application Vulnerabilities in 2017 from Positive Technologies is based on automated source code analysis through the PT Application Inspector of 33 web applications.
The company found that finance web applications are the most vulnerable, with high-severity vulnerabilities found in all tested banking and other finance web applications. The researchers ascribed this high rate to a simple failing - complexity. “Greater complexity results in more opportunities for critical vulnerabilities to arise. By exploiting these vulnerabilities, an attacker may be able to bring an application offline or run arbitrary code on a target system, which can lead to gaining control over the server hosting the web application”, noted the researchers.
Meanwhile, all tested government web applications contained vulnerabilities that could be leveraged to attack users.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies said: “Web applications practically have a target painted on their back. A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyse application source code.”
Although the results from Positive Technologies are unusually negative - and may include vulnerabilities that can easily be mitigated by a WAF - the figures support the trend uncovered by High-Tech Bridge back in 2017. Researchers for High-Tech Bridge found that 83 per cent of mobile apps within banking, financial and retail sectors have a mobile backend (web services and APIs) that is vulnerable to at least one high-risk security vulnerability. Most popular vulnerabilities are insufficient, or missing, authorization when accessing sensitive data or data belonging to other users, but also various injections, mainly represented by SQL and XML injections, are quite common, frequently aggravated by a missing WAF on the mobile backend.
Even the smallest toe-hold can open up a network to attackers, as the recent Zealot Apache Strut campaign demonstrated. A sophisticated multi-staged attack targeted internal networks with the leaked NSA EternalBlue and EternalSynergy exploits. Ilia Kolochenko, CEO of web security company, High-Tech Bridge commented at the time that: “Companies should maintain a comprehensive and up2date inventory of their IT systems. It is enough to forget about one tiny web application to get attackers on board. Some people may argue that it’s a very challenging and time-consuming task, but it’s much easier than most people think.
“To help companies tackle this problem, at High-Tech Bridge we launched a free discovery service that enumerates your external mobile and web apps, as well as their APIs. Once you have inventory of your digital assets, you can continue with patch management, security hardening, threat hunting and anomaly monitoring – without a risk to ruin all your efforts by one forgotten app.”
This and the rest of the key issues facing security professionals will be up for debate at the upcoming GISD spring edition 2018 in Geneva. Board level security professionals from UBS, GlaxoSmithKline and International Labour Organization will round out an expert panel delivering and debating key industry insights. Registration for security professionals is free, and attendees are vetted to ensure a sales-free environment.