Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/16/2020
12:30 PM
50%
50%

Fewer Vulnerabilities in Web Frameworks, but Exploits Remain Steady

Attackers continue to focus on web and application frameworks, such as Apache Struts and WordPress, fighting against a decline in vulnerabilities, according to an analysis.

The number of vulnerabilities in major web-application frameworks has declined since peaking most recently in 2016, but attackers have remained focused on exploiting weaknesses in the software platforms, according to an analysis published by cybersecurity firm RiskSense on March 16.

The result is that while major frameworks such as Apache Struts and platforms such as WordPress have seen fewer overall vulnerabilities, the weaponization rate climbed to 8.6% in 2019, exceeding the 3.9% rate for the National Vulnerability Database as a whole. The data suggests that although the groups and organizations responsible for maintaining the frameworks have become better at securing the code, attackers remain focused on finding ways to use the even smaller number of security bugs to compromise web application servers, says Wade Williamson, a researcher with RiskSense.

"Web application frameworks are the last piece of code that people pay attention to," he says. "But they are Internet-facing, there are a lot of them, and they are easy to find once they are out there."

The data suggests that companies should take stock of their web application frameworks from the standpoint of security. The typical website is scanned by automated attacks targeting exploitable vulnerabilities dozens of times a day, past research has shown

Because developers typically are not going to help maintain the actual framework, and producing patches for web application frameworks can sap a great deal of developer productivity, selecting the right platform for a company's web applications is extremely important, Williamson says.

"No matter how good of a developer you are, if there is a vulnerability in your framework, your application is going to be vulnerable," he says. "As a developer and an organization, choosing a framework is a big deal — it is what the security of your apps will rely on."

While the rate of exploitation — or weaponization, as RiskSense calls it — has increased, the absolute number of exploits has not risen by much. The increase in the rate of weaponization is more due to the drop in vulnerabilities in the frameworks overall — a positive sign.

However, WordPress, Apache Struts, and Drupal — along with their parent languages PHP and Java — continue to have the highest rates of weaponization, Williamson says. 

"We have been seeing very different types of problems in the past five years versus the past 10, but even as that changed, the problems with weaponization were still in the same spots," he says. "The hot spots remained the same."

It's not just a measure of their popularity or of the framework's age, he adds. Apache Struts, for example, is declining in popularity but has had a significant number of vulnerabilities, 

"I think Apache Struts is one of the first frameworks that I, as a developer, would consider moving away from," he says. "It is not just about who has the broadest footprint, because the attackers are still very active in investigating certain frameworks, even as their popularity goes down."

The Python frameworks have become very popular and both the number of vulnerabilities found in popular frameworks, such as Django and Flask, and the weaponization rates have been very low. 

JavaScript has also become increasingly scrutinized by researchers, with many more vulnerabilities discovered. But so far, only one issue in the Node.js framework has been exploited in the past five years, according to RiskSense data.

However, web application frameworks have evolved over time, as have the vulnerabilities that attackers have found. In 2010, cross-site scripting, input validation, and permission errors topped the list of reported security issues. In 2019, the top three issues were input validation, information exposure, and access control. Cross-site scripting has fallen to the fifth most exploited issue.

From a vulnerability standpoint, Python-based and JavaScript-based frameworks seem to have the fewest vulnerabilities and the fewest weaponized vulnerabilities, and perhaps those frameworks should be increasingly considered, Williamson says.

"Upgrading frameworks is kind of a pain and risky for developers because as you move from version to version, you have to maintain your changes," he says. "So, to me, the choice of framework is one of risk and the level of maintenance you can tolerate."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shahar.sperling
50%
50%
shahar.sperling,
User Rank: Author
3/18/2020 | 5:34:09 AM
Not just the numbers but the who
You mention trends and numbers but what we should be looking at is the "who". Web application numbers are exploading into the millions. But the target interest remains much smaller. It's the large cooperations that are the fat targets. So looking and overrall Struts trend is misleading. What is the trend at the large, legacy development organizations? They are still relying heavily on the well established frameworks and will likely continue to do so for a long time coming.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.