If there's something of a déjà vu-like quality to vendor and analyst reports summing up the state of Web application security these days its because they all inevitably arrive at the same conclusion: Web apps are becoming more insecure, not less.
The latest reminder of that trend is a report from Imperva released Wednesday showing a 212% percent increase in the number of new Web application vulnerabilities disclosed in 2017 compared to the year before. Using data gathered from multiple sources including vulnerability databases, forums, newsletters, and social media, Imperva tallied a total of 14,082 new vulnerabilities in Web applications last year compared to 6,615 in 2016.
The vendor found that more than half of Web applications have an exploit available publicly to hackers, meaning attacks against the apps are possible at any time. If that was not bad enough, some 36% of Web application vulnerabilities did not have a software patch, upgrade, or other available workaround. "Web application vulnerabilities are always on the rise, and 2017 was a record year," says Nadav Avital, security research team leader at Imperva. "Organizations should plan how to deal with the increase in vulnerabilities through carefully planned maintenance and patching programs or through external security solutions."
Yet again, cross-site scripting (XSS) errors were the most common Web application vulnerability, accounting for 1,863 of the new vulnerabilities in Imperva's report, compared to just 630 the previous year. XSS continues to be one of the most basic Web application vulnerabilities and are very easy to test and find, Avital says. "Many of the products that suffer from XSS vulnerabilities are open source which makes it even easier to find the XSS vulnerabilities."
Vulnerable Web applications have been a major cause of data breaches in recent years. Last year's monster breach at Equifax that exposed personal data on more than 140 million individuals resulted from a Web application flaw that gave intruders a way inside the credit reporting giant's network. Botnet-enabled attacks on vulnerable Web applications in fact accounted for more breaches (571) than any other vector in Verizon's 2017 Data Breach Investigations Report. In contrast, cyber espionage, the second most common cause, accounted for just 289 breaches.
Security experts point to a handful of causes for the prevailing state of Web application security.
Chris Wysopal, CTO of CA Veracode, says one reason is the increasing use by developers of open source components to build applications. Often these components have bugs that then get inherited by the application that is built with them. Even with a process known as software composition analysis, checking for and replacing known vulnerabilities in open source components, there is still the issue of vulnerabilities being discovered after the application is deployed, Wysopal says.
"For example, CA Veracode’s State of Software Security Report 2017 found that 88% of Java applications had at least one flaw in a component," he says. The CA Veracode report found that applications produced internally and sourced externally have gotten worse when looked at against OWASP list of Top Ten vulnerabilities, he notes.
The sheer volume of Web applications being produced these days is another issue. "Modern software development frameworks have had a highly positive impact on Web application vulnerabilities over the years," says Jeremiah Grossman, chief of security strategy at SentinelOne. "[But] the bottom line is there’s an increasing amount of Web application code going into production."
"Similar to software bugs in general, more code equals more vulnerabilities. What we need to focus on is how to make sure a breach doesn’t happen due to exploiting just a single vulnerability," he says.
The growing adoption of DevOps, agile development, and CI/CD practices at many organizations has been a factor as well. "If development teams integrate security testing as an automated process as part of their CI/CD pipeline, then there should be an improvement in security," notes Wysopal. But if security remains outside of the continuous integration and continuous delivery pipeline, more applications are likely to be released without proper testing or without the proper fixes being applied to code before release, he says.
"DevOps has provided both significant upsides and downsides" with regard to Web application security, agrees Grossman. "On the upside, the rapid and frequent release cycles of DevOps provide more windows of opportunity to resolve identified vulnerabilities."
DevOps processes also shorten the time available to security teams to find and fix flaws in application before they make it to production, Grossman says.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio