Web Application Security in Q1-Q3 2016
Read Time: 2 min.
High-Tech Bridge has released a brief overview of emerging web security trends and tendencies of Q1-Q3 2016 for Black Hat Europe 2016.
In addition to our previous publication on the web security trends of the first half of 2016, High-Tech Bridge is pleased to release a brief overview of emerging web security trends and tendencies during Q1-Q3 2016 for Black Hat Europe 2016 taking place in London this year.
Web application attacks are the highest external threat for companies in 2016. Gartner Hype Cycle for Application Security 2016 says that applications, not infrastructure, represent the main attack vector for data exfiltration.
Currently, over 1,300 people per day use High-Tech Bridge’s free web security services: SSL/TLS Security Test, Web Server Security Test and Domain Security Radar to validate their HTTPS encryption, test their web server and website weaknesses and detect malicious, or compromised websites, spoofing their digital identity. The largest financial and banking institutions, healthcare organizations, e-commerce and retail businesses rely on High-Tech Bridge’s award-winning web security testing platform ImmuniWeb® to test and secure their web applications. High-Tech Bridge’s security researchers have helped over 350 software vendors to detect and remediate vulnerabilities in their web applications, they also discovered RansomWeb and Drive-by-Login attacks that are skyrocketing today.
Based on the above-mentioned web security practice and research, below we provide a brief compilation of web security trends and tendencies from the first three quarters of 2016:
Web Application Security
- XSS vulnerabilities continue to dominate the list of most common vulnerabilities. In 37% of cases, a website vulnerable to XSS is also vulnerable to a more critical flaw such as SQL injection or improper access control.
- Over 72% of assessed WordPress websites had default admin panel location and at least one bruteforcable login/password pair, nullifying other security efforts of their owners (e.g. keeping WP installation up2date).
- Over 77% of investigated mass website infections with malware and ransomware occur due to a known vulnerability in an open source CMS, its plugin or theme publicly disclosed over the last three months.
- Over 90% of in-house developed web applications designed to handle medical, financial or other sensitive data are vulnerable to a high-risk improper access control or other application logic flaws not related to the sanitization of user-supplied input (like in XSS or SQL injections for example).
- Most secure web applications belong to medium size organizations in Europe and the US, probably thanks to sufficient budgets (unlike SMEs) and centralized cybersecurity management (unlike multinationals).
HTTPS and Web Server Security
- Good progress in the elimination of deprecated and restricted by PCI DSS SSLv3 protocol – 18% of web servers still support it, compared to 23% in June 2016.
- No major improvement in usage of TLS 1.0 protocol restricted by PCI DSS (from June 2018) – 96.1% of web servers still support it, compared to 97% in June 2016.
- 2.1% of web servers have correctly configured Content Security Policy (CSP) compared to less than 1% in June 2016, with the highest implementation rate in the US.
- Private Bug Bounties shift towards pay-per-result penetration testing, introducing new restrictions for researchers to participate. Meanwhile, fully open bug bounty programs, such as OpenBugBounty increase their market niche.
- Companies are starting to experience bug bounty fatigue – when researchers have already found all simple and easily detectable vulnerabilities, and hesitate to spend days and nights searching for more advanced vectors of attacks and exploitations.
- In our web security testing practice, 9/10 companies with public or private bug bounty programs have at least two high or critical risk vulnerabilities detected in less than three days of professional auditing, and missed by the crowd due to detection and exploitation complexity.
Web Application Firewalls
- Frequently organizations don’t have an up2date inventory of their web application firewall rulesets and white/black lists they use in production environment.
- Web application firewalls with enabled behavioral analysis tend to block the majority of automated vulnerability scanners that subsequently generate empty reports, giving a false sense of security.
- Organizations still hesitate to integrate vulnerability scanning solutions with WAF due to the high rate of false-positives.
Ilia Kolochenko, High-Tech Bridge’s CEO, comments: “Today, web application security is a challenge for companies of all sizes: both SMEs and multinationals experience serious problems and face financial losses caused by insecure web applications. Traditional web security testing by automated solutions and defense by Web Application Firewalls cannot reliably protect modern web applications anymore.
Companies shall look on DevSecOps and S-SDLC implementation to manage their web application lifecycle. Web application security is a continuous process, not an ad-hoc action or quarterly scan. At High-Tech Bridge, we use artificial neural networks for intelligent automation of vulnerability scanning, reducing the human time required to assess complex web applications without impact on quality of the assessment. I think future of web application security testing belongs to intelligent automation of different processes under supervision of human.”
High-Tech Bridge’s team will be pleased to meet you in person, answer all your questions at our stand 606 at Black Hat Europe 2016 in London.