Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/11/2017
09:50 PM
50%
50%

Web App Vulnerabilities Decline 25% in 12 Months

WhiteHat Security's annual Web app report shows the average number of vulns in a Web app is down from four to three.

Despite the number of vulnerabilities found in a single Web application falling by 25% in 2016 over the previous year, the number of exploitable flaws remains too high, according to WhiteHat Security's 12th Annual Application Security Statistics Report released today.

The average number of vulnerabilities found in a Web application fell to three from four, says Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center and Technical Support. Ideally that figure should be zero, however, he says.

"Three sounds like a low number but even one vulnerability can be exploited and give attackers access to your credit card information or other personal information. It only takes one vulnerability to create a huge issue for a company," says O'Leary.

WhiteHat, which gleaned the data from 15,000 Web applications it monitors and more than 65,600 mobile apps, also crunched the numbers on the days it takes to fix critical and high-risk vulnerabilities as well as the types of vulnerabilities that are the most prevalent on mobile devices and on the Web.

According to the report, the average time it takes to fix a high-risk vulnerability after its discovery is 196 days – 25 days longer than the average of 171 days in 2015.

The reason it's taking longer to fix high-risk vulnerabilities is likely due to software developers switching over to an Agile software development process from the older, traditional waterfall method, O'Leary says. While there's typically a chunk of time at the end of a waterfall project to fix vulnerabilities, there are smaller slivers of time to fix exploitable flaws under the Agile method, O'Leary explains.

As a result, software developers tend to want to fix the easiest vulnerabilities first under an Agile method and that usually means the more complex vulnerabilities get left behind, and those are usually also high-risk flaws, O'Leary says.

But critical vulnerabilities, such as those that can lead to a total compromise of a server, database, or sensitive information, are usually slotted in and addressed at the prompting of a CISO or business leader -- even under an Agile software development process, says O'Leary.

Fixing critical vulnerabilities improved in 2016, taking an average of 129 days, compared with 146 days in the previous year, the report found.

Where the Vulns Are

When it comes to mobile apps, the top three Android app categories where vulnerabilities were found included news, games, and lifestyle apps, according to the report. And for the iOS platform, vulnerabilities were the most prevalent in news, music, and finance apps.

The most common type of vulnerability for mobile apps, whether Android or iOS, is the communication that occurs between the mobile device itself and the backend server, O'Leary says. The vulnerability resides in the secure transportation of the data from the device to the backend server.

For Web apps, approximately 60% of applications are "always vulnerable" in the utilities, education, accommodations, retail, and manufacturing industries, the report found. The "always vulnerable" status means that WhiteHat was able to find at least one vulnerability in the app every minute of the day during the 12 months it collected data for the report.

Web apps continue to suffer from two major vulnerabilities that seem to have existed "forever," O'Leary says, cross-site scripting (XSS) and information leakage.

The most common type of Web app is XSS, regardless of the industry. "People have known about it forever but can't seem to fix it," he says.

Information leakage, meanwhile, often is the result of software developers leaving comments in their code, for example, he says. That information is made public when the app is launched and can ultimately provide attackers with enough information to aid them to launch an attack, O'Leary says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

One of the new vulnerabilities that has emerged over the last couple of years is insufficient transport layer security (TLS) protection, says O'Leary. He noted Heartbleed was the first to take advantage of the open TLS handshake that occurs as information is passed from the browser to the server.

"In 2012, you didn't see much of vulnerabilities in the transport layer but after Heartbleed, it set off a bunch of these types of vulnerabilities, he notes.

Software developers, who have increasingly relied on third-party and open source librarie, should double-check for patches for those libraries before using them in their apps, O'Leary advises.

"Before, development was about building code from start to finish. But now, developers use open source and third party libraries and it's scary to think that they don't even know the [security level] of what they are importing," O'Leary says.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
diya94
50%
50%
diya94,
User Rank: Apprentice
8/31/2017 | 7:22:16 AM
Appreciation to reader
it's really a happy news to read. The web app vulnerabilities is declining 25% in 12 months. The iOS platform, vulnerabilities were the most prevalent in news, music, and finance apps.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...