7 Deadly Security Sins of Web Applications
The top ways organizations open themselves up to damaging Web app attacks.
April 3, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltbc33e10aed514bb4/64f0d6f3a720e86db3bc36a3/01-websecuritysins.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Web application attacks are on the rise, according to recent figures from Akamai, which logged a 10% increase in attacks from Q4 of 2016 to the same time period in 2017.
"The vast majority of web application attacks are the result of untargeted scans looking for any vulnerable system, but a few are directed attempts to compromise a specific target," writes Martin McKeay, senior security advocate for the firm, within its most recent State of the Internet Security report. "In either case, they are so frequent and so 'noisy' — in other words, difficult to accurately detect — that many organizations are struggling to simply keep their web application firewalls running effectively, and do not have the spare cycles to worry about what their systems might be missing."
The bottom line is that organizations need to improve their secure coding practices to reduce their risk in their arena. This list highlights some of the biggest risks organizations open themselves up to when it comes to their Web apps.
It might be hard for security pros to believe it, but in December it'll be 20 years since the first SQL injection vulnerability was first detailed by security researcher Jeff Forrestal. And even now, SQL injection continues to rear its ugly head today across copious numbers of websites and web apps.
According to a study by Alert Logic, SQL injection attacks still lead as the top most prevalent type of web attack by a long shot. It makes up 55% of the incidents tracked by customers of the security monitoring firm.
Speaking of the Equifax breach, the deserialization flaw that the attacker leveraged wasn't within the underlying software code itself. Instead, it was in the widely used Apache Struts component that was embedded within the software.
This highlights yet another deadly sin in Web app security, namely relying on risky, unpatched open source components. Development shops are increasingly using open source components to build out their software, often with very little discipline in tracking which components are used where, let alone keeping track of which versions are used and whether those components themselves are dependent on other vulnerable components.
"Developers tend to rely more on the popularity of a given JavaScript library to determine its security, making the false assumption that if a lot of developers are using it, then it must be secure. This is a flawed approach," writes Will Chatham, a security assessment engineer for Arbor Networks. "Within a framework, one library may depend upon another, creating an intricate chain of dependencies. Deep within these chains there may be libraries that have poor security protection in place, or may even be susceptible to several types of malicious behavior, opening them up to what are known as supply chain attacks."
"Cross-site scripting (XSS) is a common vector that inserts malicious code into a web application found to be vulnerable," Daniel Svartman of Imperva explained this week. "Unlike other web attack types, such as SQLI, its objective isn't your web application. Rather, it targets its users, resulting in harm to your clients and the reputation of your organization."
Like SQLi, XSS has been around for a while and still puts the hurt on organizations. And as Mozilla's April King explains, one of the most effective ways of stopping XSS attacks is the use of Content Security Policy (CSP), which has seen strong growth but still is rarely used by most websites.
According to figures from Mozilla Observatory scans of the Alexa Top 1M websites, only about .022% of them currently use CSP. Sites that use CSP but ignore inline stylesheets (CSS) had a slightly better rate of uptake, accounting for .112% of the Alexa Top 1M.
The good news is that organizations are getting much better these days at deploying HTTPS. The bad news is that there's still a long way to go.
Mozilla's Observatory scans from last month shows that about 54.3% of the Alexa To 1M sites are using HTTPS, which is a nice 19% bump over scans done last summer. But that still means that just under half of the top sites are still behind the times.
Not only that, but there's still a very long way to get ot the point where most sites forbid the use of HTTP. This is done using HTTP Strict Transport Security (HSTS), and according to Mozilla, it's only in place within about 6% of the Alexa Top 1M.
The good news is that organizations are getting much better these days at deploying HTTPS. The bad news is that there's still a long way to go.
Mozilla's Observatory scans from last month shows that about 54.3% of the Alexa To 1M sites are using HTTPS, which is a nice 19% bump over scans done last summer. But that still means that just under half of the top sites are still behind the times.
Not only that, but there's still a very long way to get ot the point where most sites forbid the use of HTTP. This is done using HTTP Strict Transport Security (HSTS), and according to Mozilla, it's only in place within about 6% of the Alexa Top 1M.
Web application attacks are on the rise, according to recent figures from Akamai, which logged a 10% increase in attacks from Q4 of 2016 to the same time period in 2017.
"The vast majority of web application attacks are the result of untargeted scans looking for any vulnerable system, but a few are directed attempts to compromise a specific target," writes Martin McKeay, senior security advocate for the firm, within its most recent State of the Internet Security report. "In either case, they are so frequent and so 'noisy' — in other words, difficult to accurately detect — that many organizations are struggling to simply keep their web application firewalls running effectively, and do not have the spare cycles to worry about what their systems might be missing."
The bottom line is that organizations need to improve their secure coding practices to reduce their risk in their arena. This list highlights some of the biggest risks organizations open themselves up to when it comes to their Web apps.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024