Application Security

7/11/2017
09:50 PM
50%
50%

Web App Vulnerabilities Decline 25% in 12 Months

WhiteHat Security's annual Web app report shows the average number of vulns in a Web app is down from four to three.

Despite the number of vulnerabilities found in a single Web application falling by 25% in 2016 over the previous year, the number of exploitable flaws remains too high, according to WhiteHat Security's 12th Annual Application Security Statistics Report released today.

The average number of vulnerabilities found in a Web application fell to three from four, says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center and Technical Support. Ideally that figure should be zero, however, he says.

"Three sounds like a low number but even one vulnerability can be exploited and give attackers access to your credit card information or other personal information. It only takes one vulnerability to create a huge issue for a company," says O'Leary.

WhiteHat, which gleaned the data from 15,000 Web applications it monitors and more than 65,600 mobile apps, also crunched the numbers on the days it takes to fix critical and high-risk vulnerabilities as well as the types of vulnerabilities that are the most prevalent on mobile devices and on the Web.

According to the report, the average time it takes to fix a high-risk vulnerability after its discovery is 196 days – 25 days longer than the average of 171 days in 2015.

The reason it's taking longer to fix high-risk vulnerabilities is likely due to software developers switching over to an Agile software development process from the older, traditional waterfall method, O'Leary says. While there's typically a chunk of time at the end of a waterfall project to fix vulnerabilities, there are smaller slivers of time to fix exploitable flaws under the Agile method, O'Leary explains.

As a result, software developers tend to want to fix the easiest vulnerabilities first under an Agile method and that usually means the more complex vulnerabilities get left behind, and those are usually also high-risk flaws, O'Leary says.

But critical vulnerabilities, such as those that can lead to a total compromise of a server, database, or sensitive information, are usually slotted in and addressed at the prompting of a CISO or business leader -- even under an Agile software development process, says O'Leary.

Fixing critical vulnerabilities improved in 2016, taking an average of 129 days, compared with 146 days in the previous year, the report found.

Where the Vulns Are

When it comes to mobile apps, the top three Android app categories where vulnerabilities were found included news, games, and lifestyle apps, according to the report. And for the iOS platform, vulnerabilities were the most prevalent in news, music, and finance apps.

The most common type of vulnerability for mobile apps, whether Android or iOS, is the communication that occurs between the mobile device itself and the backend server, O'Leary says. The vulnerability resides in the secure transportation of the data from the device to the backend server.

For Web apps, approximately 60% of applications are "always vulnerable" in the utilities, education, accommodations, retail, and manufacturing industries, the report found. The "always vulnerable" status means that WhiteHat was able to find at least one vulnerability in the app every minute of the day during the 12 months it collected data for the report.

Web apps continue to suffer from two major vulnerabilities that seem to have existed "forever," O'Leary says, cross-site scripting (XSS) and information leakage.

The most common type of Web app is XSS, regardless of the industry. "People have known about it forever but can't seem to fix it," he says.

Information leakage, meanwhile, often is the result of software developers leaving comments in their code, for example, he says. That information is made public when the app is launched and can ultimately provide attackers with enough information to aid them to launch an attack, O'Leary says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

One of the new vulnerabilities that has emerged over the last couple of years is insufficient transport layer security (TLS) protection, says O'Leary. He noted Heartbleed was the first to take advantage of the open TLS handshake that occurs as information is passed from the browser to the server.

"In 2012, you didn't see much of vulnerabilities in the transport layer but after Heartbleed, it set off a bunch of these types of vulnerabilities, he notes.

Software developers, who have increasingly relied on third-party and open source librarie, should double-check for patches for those libraries before using them in their apps, O'Leary advises.

"Before, development was about building code from start to finish. But now, developers use open source and third party libraries and it's scary to think that they don't even know the [security level] of what they are importing," O'Leary says.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
diya94
50%
50%
diya94,
User Rank: Apprentice
8/31/2017 | 7:22:16 AM
Appreciation to reader
it's really a happy news to read. The web app vulnerabilities is declining 25% in 12 months. The iOS platform, vulnerabilities were the most prevalent in news, music, and finance apps.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8360
PUBLISHED: 2019-02-16
Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter.
CVE-2019-8361
PUBLISHED: 2019-02-16
PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection.
CVE-2019-8362
PUBLISHED: 2019-02-16
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, o...
CVE-2019-8363
PUBLISHED: 2019-02-16
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value.
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.