Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/3/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Open Source Components, Code Volume Drag Down Web App Security

The number of new Web application vulnerabilities published last year was 212% greater than the number disclosed in 2016, Imperva says in a new report this week.

If there's something of a déjà vu-like quality to vendor and analyst reports summing up the state of Web application security these days its because they all inevitably arrive at the same conclusion: Web apps are becoming more insecure, not less.

The latest reminder of that trend is a report from Imperva released Wednesday showing a 212% percent increase in the number of new Web application vulnerabilities disclosed in 2017 compared to the year before. Using data gathered from multiple sources including vulnerability databases, forums, newsletters, and social media, Imperva tallied a total of 14,082 new vulnerabilities in Web applications last year compared to 6,615 in 2016.

The vendor found that more than half of Web applications have an exploit available publicly to hackers, meaning attacks against the apps are possible at any time. If that was not bad enough, some 36% of Web application vulnerabilities did not have a software patch, upgrade, or other available workaround. "Web application vulnerabilities are always on the rise, and 2017 was a record year," says Nadav Avital, security research team leader at Imperva. "Organizations should plan how to deal with the increase in vulnerabilities through carefully planned maintenance and patching programs or through external security solutions." 

Yet again, cross-site scripting (XSS) errors were the most common Web application vulnerability, accounting for 1,863 of the new vulnerabilities in Imperva's report, compared to just 630 the previous year. XSS continues to be one of the most basic Web application vulnerabilities and are very easy to test and find, Avital says. "Many of the products that suffer from XSS vulnerabilities are open source which makes it even easier to find the XSS vulnerabilities."

Vulnerable Web applications have been a major cause of data breaches in recent years. Last year's monster breach at Equifax that exposed personal data on more than 140 million individuals resulted from a Web application flaw that gave intruders a way inside the credit reporting giant's network. Botnet-enabled attacks on vulnerable Web applications in fact accounted for more breaches (571) than any other vector in Verizon's 2017 Data Breach Investigations Report. In contrast, cyber espionage, the second most common cause, accounted for just 289 breaches.

Security experts point to a handful of causes for the prevailing state of Web application security.

Chris Wysopal, CTO of CA Veracode, says one reason is the increasing use by developers of open source components to build applications. Often these components have bugs that then get inherited by the application that is built with them. Even with a process known as software composition analysis, checking for and replacing known vulnerabilities in open source components, there is still the issue of vulnerabilities being discovered after the application is deployed, Wysopal says.

"For example, CA Veracode’s State of Software Security Report 2017 found that 88% of Java applications had at least one flaw in a component," he says. The CA Veracode report found that applications produced internally and sourced externally have gotten worse when looked at against OWASP list of Top Ten vulnerabilities, he notes.

The sheer volume of Web applications being produced these days is another issue. "Modern software development frameworks have had a highly positive impact on Web application vulnerabilities over the years," says Jeremiah Grossman, chief of security strategy at SentinelOne. "[But] the bottom line is there’s an increasing amount of Web application code going into production."

"Similar to software bugs in general, more code equals more vulnerabilities. What we need to focus on is how to make sure a breach doesn’t happen due to exploiting just a single vulnerability," he says.

The growing adoption of DevOps, agile development, and CI/CD practices at many organizations has been a factor as well. "If development teams integrate security testing as an automated process as part of their CI/CD pipeline, then there should be an improvement in security," notes Wysopal. But if security remains outside of the continuous integration and continuous delivery pipeline, more applications are likely to be released without proper testing or without the proper fixes being applied to code before release, he says.

"DevOps has provided both significant upsides and downsides" with regard to Web application security, agrees Grossman. "On the upside, the rapid and frequent release cycles of DevOps provide more windows of opportunity to resolve identified vulnerabilities."

DevOps processes also shorten the time available to security teams to find and fix flaws in application before they make it to production, Grossman says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...