Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/3/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Open Source Components, Code Volume Drag Down Web App Security

The number of new Web application vulnerabilities published last year was 212% greater than the number disclosed in 2016, Imperva says in a new report this week.

If there's something of a déjà vu-like quality to vendor and analyst reports summing up the state of Web application security these days its because they all inevitably arrive at the same conclusion: Web apps are becoming more insecure, not less.

The latest reminder of that trend is a report from Imperva released Wednesday showing a 212% percent increase in the number of new Web application vulnerabilities disclosed in 2017 compared to the year before. Using data gathered from multiple sources including vulnerability databases, forums, newsletters, and social media, Imperva tallied a total of 14,082 new vulnerabilities in Web applications last year compared to 6,615 in 2016.

The vendor found that more than half of Web applications have an exploit available publicly to hackers, meaning attacks against the apps are possible at any time. If that was not bad enough, some 36% of Web application vulnerabilities did not have a software patch, upgrade, or other available workaround. "Web application vulnerabilities are always on the rise, and 2017 was a record year," says Nadav Avital, security research team leader at Imperva. "Organizations should plan how to deal with the increase in vulnerabilities through carefully planned maintenance and patching programs or through external security solutions." 

Yet again, cross-site scripting (XSS) errors were the most common Web application vulnerability, accounting for 1,863 of the new vulnerabilities in Imperva's report, compared to just 630 the previous year. XSS continues to be one of the most basic Web application vulnerabilities and are very easy to test and find, Avital says. "Many of the products that suffer from XSS vulnerabilities are open source which makes it even easier to find the XSS vulnerabilities."

Vulnerable Web applications have been a major cause of data breaches in recent years. Last year's monster breach at Equifax that exposed personal data on more than 140 million individuals resulted from a Web application flaw that gave intruders a way inside the credit reporting giant's network. Botnet-enabled attacks on vulnerable Web applications in fact accounted for more breaches (571) than any other vector in Verizon's 2017 Data Breach Investigations Report. In contrast, cyber espionage, the second most common cause, accounted for just 289 breaches.

Security experts point to a handful of causes for the prevailing state of Web application security.

Chris Wysopal, CTO of CA Veracode, says one reason is the increasing use by developers of open source components to build applications. Often these components have bugs that then get inherited by the application that is built with them. Even with a process known as software composition analysis, checking for and replacing known vulnerabilities in open source components, there is still the issue of vulnerabilities being discovered after the application is deployed, Wysopal says.

"For example, CA Veracode’s State of Software Security Report 2017 found that 88% of Java applications had at least one flaw in a component," he says. The CA Veracode report found that applications produced internally and sourced externally have gotten worse when looked at against OWASP list of Top Ten vulnerabilities, he notes.

The sheer volume of Web applications being produced these days is another issue. "Modern software development frameworks have had a highly positive impact on Web application vulnerabilities over the years," says Jeremiah Grossman, chief of security strategy at SentinelOne. "[But] the bottom line is there’s an increasing amount of Web application code going into production."

"Similar to software bugs in general, more code equals more vulnerabilities. What we need to focus on is how to make sure a breach doesn’t happen due to exploiting just a single vulnerability," he says.

The growing adoption of DevOps, agile development, and CI/CD practices at many organizations has been a factor as well. "If development teams integrate security testing as an automated process as part of their CI/CD pipeline, then there should be an improvement in security," notes Wysopal. But if security remains outside of the continuous integration and continuous delivery pipeline, more applications are likely to be released without proper testing or without the proper fixes being applied to code before release, he says.

"DevOps has provided both significant upsides and downsides" with regard to Web application security, agrees Grossman. "On the upside, the rapid and frequent release cycles of DevOps provide more windows of opportunity to resolve identified vulnerabilities."

DevOps processes also shorten the time available to security teams to find and fix flaws in application before they make it to production, Grossman says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15593
PUBLISHED: 2019-11-22
GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments.
CVE-2019-16285
PUBLISHED: 2019-11-22
If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive.
CVE-2019-16286
PUBLISHED: 2019-11-22
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands.
CVE-2019-16287
PUBLISHED: 2019-11-22
An attacker may be able to leverage the application filter bypass vulnerability to gain privileged access to create a file on the local file system whose presence puts the device in Administrative Mode, which will allow the attacker to executed commands with elevated privileges.
CVE-2019-18909
PUBLISHED: 2019-11-22
The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges.