Application Security

7/11/2017
09:50 PM
50%
50%

Web App Vulnerabilities Decline 25% in 12 Months

WhiteHat Security's annual Web app report shows the average number of vulns in a Web app is down from four to three.

Despite the number of vulnerabilities found in a single Web application falling by 25% in 2016 over the previous year, the number of exploitable flaws remains too high, according to WhiteHat Security's 12th Annual Application Security Statistics Report released today.

The average number of vulnerabilities found in a Web application fell to three from four, says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center and Technical Support. Ideally that figure should be zero, however, he says.

"Three sounds like a low number but even one vulnerability can be exploited and give attackers access to your credit card information or other personal information. It only takes one vulnerability to create a huge issue for a company," says O'Leary.

WhiteHat, which gleaned the data from 15,000 Web applications it monitors and more than 65,600 mobile apps, also crunched the numbers on the days it takes to fix critical and high-risk vulnerabilities as well as the types of vulnerabilities that are the most prevalent on mobile devices and on the Web.

According to the report, the average time it takes to fix a high-risk vulnerability after its discovery is 196 days – 25 days longer than the average of 171 days in 2015.

The reason it's taking longer to fix high-risk vulnerabilities is likely due to software developers switching over to an Agile software development process from the older, traditional waterfall method, O'Leary says. While there's typically a chunk of time at the end of a waterfall project to fix vulnerabilities, there are smaller slivers of time to fix exploitable flaws under the Agile method, O'Leary explains.

As a result, software developers tend to want to fix the easiest vulnerabilities first under an Agile method and that usually means the more complex vulnerabilities get left behind, and those are usually also high-risk flaws, O'Leary says.

But critical vulnerabilities, such as those that can lead to a total compromise of a server, database, or sensitive information, are usually slotted in and addressed at the prompting of a CISO or business leader -- even under an Agile software development process, says O'Leary.

Fixing critical vulnerabilities improved in 2016, taking an average of 129 days, compared with 146 days in the previous year, the report found.

Where the Vulns Are

When it comes to mobile apps, the top three Android app categories where vulnerabilities were found included news, games, and lifestyle apps, according to the report. And for the iOS platform, vulnerabilities were the most prevalent in news, music, and finance apps.

The most common type of vulnerability for mobile apps, whether Android or iOS, is the communication that occurs between the mobile device itself and the backend server, O'Leary says. The vulnerability resides in the secure transportation of the data from the device to the backend server.

For Web apps, approximately 60% of applications are "always vulnerable" in the utilities, education, accommodations, retail, and manufacturing industries, the report found. The "always vulnerable" status means that WhiteHat was able to find at least one vulnerability in the app every minute of the day during the 12 months it collected data for the report.

Web apps continue to suffer from two major vulnerabilities that seem to have existed "forever," O'Leary says, cross-site scripting (XSS) and information leakage.

The most common type of Web app is XSS, regardless of the industry. "People have known about it forever but can't seem to fix it," he says.

Information leakage, meanwhile, often is the result of software developers leaving comments in their code, for example, he says. That information is made public when the app is launched and can ultimately provide attackers with enough information to aid them to launch an attack, O'Leary says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

One of the new vulnerabilities that has emerged over the last couple of years is insufficient transport layer security (TLS) protection, says O'Leary. He noted Heartbleed was the first to take advantage of the open TLS handshake that occurs as information is passed from the browser to the server.

"In 2012, you didn't see much of vulnerabilities in the transport layer but after Heartbleed, it set off a bunch of these types of vulnerabilities, he notes.

Software developers, who have increasingly relied on third-party and open source librarie, should double-check for patches for those libraries before using them in their apps, O'Leary advises.

"Before, development was about building code from start to finish. But now, developers use open source and third party libraries and it's scary to think that they don't even know the [security level] of what they are importing," O'Leary says.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
diya94
50%
50%
diya94,
User Rank: Apprentice
8/31/2017 | 7:22:16 AM
Appreciation to reader
it's really a happy news to read. The web app vulnerabilities is declining 25% in 12 months. The iOS platform, vulnerabilities were the most prevalent in news, music, and finance apps.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15607
PUBLISHED: 2018-08-21
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote atta...
CVE-2018-14795
PUBLISHED: 2018-08-21
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable due to improper path validation which may allow an attacker to replace executable files.
CVE-2018-6692
PUBLISHED: 2018-08-21
Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security protection via a crafted HTTP post packet.
CVE-2018-14793
PUBLISHED: 2018-08-21
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable to a buffer overflow exploit through an open communication port to allow arbitrary code execution.
CVE-2017-17305
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a Bleichenbacher Oracle vulnerability in the IPSEC IKEv1 implementations. Remote attackers can decrypt IPSEC tunnel ciphertext data by leveraging a Bleichenbacher R...