Application Security

1/3/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Open Source Components, Code Volume Drag Down Web App Security

The number of new Web application vulnerabilities published last year was 212% greater than the number disclosed in 2016, Imperva says in a new report this week.

If there's something of a déjà vu-like quality to vendor and analyst reports summing up the state of Web application security these days its because they all inevitably arrive at the same conclusion: Web apps are becoming more insecure, not less.

The latest reminder of that trend is a report from Imperva released Wednesday showing a 212% percent increase in the number of new Web application vulnerabilities disclosed in 2017 compared to the year before. Using data gathered from multiple sources including vulnerability databases, forums, newsletters, and social media, Imperva tallied a total of 14,082 new vulnerabilities in Web applications last year compared to 6,615 in 2016.

The vendor found that more than half of Web applications have an exploit available publicly to hackers, meaning attacks against the apps are possible at any time. If that was not bad enough, some 36% of Web application vulnerabilities did not have a software patch, upgrade, or other available workaround. "Web application vulnerabilities are always on the rise, and 2017 was a record year," says Nadav Avital, security research team leader at Imperva. "Organizations should plan how to deal with the increase in vulnerabilities through carefully planned maintenance and patching programs or through external security solutions." 

Yet again, cross-site scripting (XSS) errors were the most common Web application vulnerability, accounting for 1,863 of the new vulnerabilities in Imperva's report, compared to just 630 the previous year. XSS continues to be one of the most basic Web application vulnerabilities and are very easy to test and find, Avital says. "Many of the products that suffer from XSS vulnerabilities are open source which makes it even easier to find the XSS vulnerabilities."

Vulnerable Web applications have been a major cause of data breaches in recent years. Last year's monster breach at Equifax that exposed personal data on more than 140 million individuals resulted from a Web application flaw that gave intruders a way inside the credit reporting giant's network. Botnet-enabled attacks on vulnerable Web applications in fact accounted for more breaches (571) than any other vector in Verizon's 2017 Data Breach Investigations Report. In contrast, cyber espionage, the second most common cause, accounted for just 289 breaches.

Security experts point to a handful of causes for the prevailing state of Web application security.

Chris Wysopal, CTO of CA Veracode, says one reason is the increasing use by developers of open source components to build applications. Often these components have bugs that then get inherited by the application that is built with them. Even with a process known as software composition analysis, checking for and replacing known vulnerabilities in open source components, there is still the issue of vulnerabilities being discovered after the application is deployed, Wysopal says.

"For example, CA Veracode’s State of Software Security Report 2017 found that 88% of Java applications had at least one flaw in a component," he says. The CA Veracode report found that applications produced internally and sourced externally have gotten worse when looked at against OWASP list of Top Ten vulnerabilities, he notes.

The sheer volume of Web applications being produced these days is another issue. "Modern software development frameworks have had a highly positive impact on Web application vulnerabilities over the years," says Jeremiah Grossman, chief of security strategy at SentinelOne. "[But] the bottom line is there’s an increasing amount of Web application code going into production."

"Similar to software bugs in general, more code equals more vulnerabilities. What we need to focus on is how to make sure a breach doesn’t happen due to exploiting just a single vulnerability," he says.

The growing adoption of DevOps, agile development, and CI/CD practices at many organizations has been a factor as well. "If development teams integrate security testing as an automated process as part of their CI/CD pipeline, then there should be an improvement in security," notes Wysopal. But if security remains outside of the continuous integration and continuous delivery pipeline, more applications are likely to be released without proper testing or without the proper fixes being applied to code before release, he says.

"DevOps has provided both significant upsides and downsides" with regard to Web application security, agrees Grossman. "On the upside, the rapid and frequent release cycles of DevOps provide more windows of opportunity to resolve identified vulnerabilities."

DevOps processes also shorten the time available to security teams to find and fix flaws in application before they make it to production, Grossman says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.