Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/16/2020
12:30 PM
50%
50%

Fewer Vulnerabilities in Web Frameworks, but Exploits Remain Steady

Attackers continue to focus on web and application frameworks, such as Apache Struts and WordPress, fighting against a decline in vulnerabilities, according to an analysis.

The number of vulnerabilities in major web-application frameworks has declined since peaking most recently in 2016, but attackers have remained focused on exploiting weaknesses in the software platforms, according to an analysis published by cybersecurity firm RiskSense on March 16.

The result is that while major frameworks such as Apache Struts and platforms such as WordPress have seen fewer overall vulnerabilities, the weaponization rate climbed to 8.6% in 2019, exceeding the 3.9% rate for the National Vulnerability Database as a whole. The data suggests that although the groups and organizations responsible for maintaining the frameworks have become better at securing the code, attackers remain focused on finding ways to use the even smaller number of security bugs to compromise web application servers, says Wade Williamson, a researcher with RiskSense.

"Web application frameworks are the last piece of code that people pay attention to," he says. "But they are Internet-facing, there are a lot of them, and they are easy to find once they are out there."

The data suggests that companies should take stock of their web application frameworks from the standpoint of security. The typical website is scanned by automated attacks targeting exploitable vulnerabilities dozens of times a day, past research has shown

Because developers typically are not going to help maintain the actual framework, and producing patches for web application frameworks can sap a great deal of developer productivity, selecting the right platform for a company's web applications is extremely important, Williamson says.

"No matter how good of a developer you are, if there is a vulnerability in your framework, your application is going to be vulnerable," he says. "As a developer and an organization, choosing a framework is a big deal — it is what the security of your apps will rely on."

While the rate of exploitation — or weaponization, as RiskSense calls it — has increased, the absolute number of exploits has not risen by much. The increase in the rate of weaponization is more due to the drop in vulnerabilities in the frameworks overall — a positive sign.

However, WordPress, Apache Struts, and Drupal — along with their parent languages PHP and Java — continue to have the highest rates of weaponization, Williamson says. 

"We have been seeing very different types of problems in the past five years versus the past 10, but even as that changed, the problems with weaponization were still in the same spots," he says. "The hot spots remained the same."

It's not just a measure of their popularity or of the framework's age, he adds. Apache Struts, for example, is declining in popularity but has had a significant number of vulnerabilities, 

"I think Apache Struts is one of the first frameworks that I, as a developer, would consider moving away from," he says. "It is not just about who has the broadest footprint, because the attackers are still very active in investigating certain frameworks, even as their popularity goes down."

The Python frameworks have become very popular and both the number of vulnerabilities found in popular frameworks, such as Django and Flask, and the weaponization rates have been very low. 

JavaScript has also become increasingly scrutinized by researchers, with many more vulnerabilities discovered. But so far, only one issue in the Node.js framework has been exploited in the past five years, according to RiskSense data.

However, web application frameworks have evolved over time, as have the vulnerabilities that attackers have found. In 2010, cross-site scripting, input validation, and permission errors topped the list of reported security issues. In 2019, the top three issues were input validation, information exposure, and access control. Cross-site scripting has fallen to the fifth most exploited issue.

From a vulnerability standpoint, Python-based and JavaScript-based frameworks seem to have the fewest vulnerabilities and the fewest weaponized vulnerabilities, and perhaps those frameworks should be increasingly considered, Williamson says.

"Upgrading frameworks is kind of a pain and risky for developers because as you move from version to version, you have to maintain your changes," he says. "So, to me, the choice of framework is one of risk and the level of maintenance you can tolerate."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shahar.sperling
50%
50%
shahar.sperling,
User Rank: Author
3/18/2020 | 5:34:09 AM
Not just the numbers but the who
You mention trends and numbers but what we should be looking at is the "who". Web application numbers are exploading into the millions. But the target interest remains much smaller. It's the large cooperations that are the fat targets. So looking and overrall Struts trend is misleading. What is the trend at the large, legacy development organizations? They are still relying heavily on the well established frameworks and will likely continue to do so for a long time coming.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7822
PUBLISHED: 2020-08-04
DaviewIndy has a Heap-based overflow vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
CVE-2020-7823
PUBLISHED: 2020-08-04
DaviewIndy has a Memory corruption vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
CVE-2020-6012
PUBLISHED: 2020-08-04
ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems.
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.