Are applications really more secure today?
Apparent good news as vulnerability counts fall, but response times are up and basic flaws still persist in vast numbers of apps...
A new report has uncovered good news about application security for a change - the security posture of the average organization has improved, with web applications analysed in 2015 having an average of four vulnerabilities - that number has dropped to three in 2016.
While a 25 per cent reduction in vulnerabilities on average is clearly positive, the fact that there are still three per app is still rather too many, on the face of it. In other bad news, average response times have increased over the last year, with the average time it takes to fix a high-risk vulnerability after discovery hitting 196 days – 25 days longer than the average of 171 days in 2015.
However, fixing critical vulnerabilities improved in 2016, taking an average of 129 days, compared with 146 days in the previous year, the report by WhiteHat Security found. The company ascribed the apparent disconnect between high-risk and critical response times to widespread adoption of Agile rather than waterfall software development methodology. This means that difficult, time-consuming high-risk vulnerabilities were not addressed, while critical vulnerabilities were due to CISO or senior management intervention.
WhiteHat gleaned the data from 15,000 Web applications that it monitors and more than 65,600 mobile apps or, in other words, an application sample that is 81 per cent mobile. However, recent application security research released at Infosec 2017 by High-Tech Bridge found that more than 95 per cent of vulnerabilities in mobile application code are not easily exploitable and do not pose a major risk.
High-Tech Bridge researchers found that the number one flaw in in mobile applications within banking, financial and retail sectors is insecure, or clear text storage of sensitive or authentication data on a mobile device. The second most popular flaw consists of insecure, or otherwise unreliable, components used in the application code putting mobile phone privacy at risk. The third is insecure communication with a mobile backend (APIs and Web Services), enabling the interception of sensitive data or conducting MITM attacks.
However, while these issues are widespread, their severity is limited, as Ilia Kolochenko, CEO of High-Tech Bridge, explains: “All these vulnerabilities may be serious, but they also usually require another malicious application already installed on a device, and/or an attacker in the same network segment as the victim, and thus are hardly exploitable in the wild.”
High-Tech Bridge researchers also found that 83 per cent of mobile apps within banking, financial and retail sectors have mobile back ends (web services and APIs) that are vulnerable to at least one high-risk security vulnerability. Kolochenko, CEO of High-Tech Bridge, continued to explain: “Most popular vulnerabilities are insufficient, or missing, authorization when accessing sensitive data or data belonging to other users. Various injections, mainly represented by SQL and XML injections, are also quite common, in many cases aggravated by a missing WAF on the mobile backend.”
The WhiteHat report agreed on many points however, finding that mobile apps were commonly vulnerable when communicating to the backend, due to insecure connections or improperly implemented secure transportation of the data from the device to the backend server. Insufficient transport layer security (TLS) protection in the wake of Heartbleed was also flagged in the report as a serious and recurring issue.
High-Tech Bridge offers free SSL/TLS testing that thoroughly tests for known vulnerabilities in SSL/TLS implementation such as Heartbleed, as well as common issues in encryption protocols, such as POODLE, and checking if a SSL/TLS configuration is compliant with PCI DSS requirements, HIPAA guidance and NIST guidelines.