Invicti Security Reports a Lost Year for Web App Security

As the pandemic began a year ago and many companies shifted their security focus to issues directly related to remote workforces, we already had a pretty good idea what will happen to Web application security. We felt that the shift away from Web application security would halt or even reverse the slow improvement trend that we observed for several years. Unfortunately, we were not wrong.

For 7 years now, we've been monitoring the number and types of Web vulnerabilities present in real Web applications, websites, and APIs. Every year, we took a large anonymous sample of scans executed on Web targets in our Acunetix Online cloud solution, and then we performed a deep analysis of that data. We published this analysis as the Acunetix Web Application Vulnerability Report, which is now a part of the Invicti AppSec Indicator by Invicti Security.

While the number of vulnerabilities, even the most severe ones, was always quite substantial, we kept observing a year-to-year improvement trend. It was not fast, just a few percent at a time. In 2020, this trend reversed, and the total number of vulnerabilities found was 1% higher than in 2019.

In 2020, 27% of Web targets that we tested had high-severity vulnerabilities and 63% of them had medium-severity vulnerabilities. This means that, on average, one in four Web applications is open to the most serious attacks. Note that this data represents businesses that take their Web security seriously and employ a Web application security solution. We can only guess that in the case of Web applications and websites that are not regularly secured, the results are probably much worse.

What does this mean for businesses? It means a major risk of a security breach. The number of businesses that rely on Web technologies grows by the hour with more and more shifting to the cloud and transforming their legacy applications into cloud-based Web applications. Many businesses also rely on mobile applications, which are based on Web APIs — again, susceptible to the same types of attacks as Web applications.

According to a recent survey by one of the world's most renowned consulting firms, Web vulnerabilities are currently the No. 1 cause of security breaches, which most commonly lead to theft of sensitive data and can have even more serious consequences, including full system takeover. It's not phishing, it's not endpoint attacks — it's the Web. Even the latest attacks on Microsoft Exchange in 2021 were a result of Web vulnerabilities. Therefore, we believe that the shift away from Web security was a major mistake on the part of many businesses.

It is our feeling that 2021 should be the year that businesses focus strongly on rectifying this situation. Now that they have secured their remote employees well and now that remote work is no longer a novelty and does not require major focus shifts, businesses can come back and secure their most vulnerable entry point — the Web. And we're here to help.

While a DAST tool like Acunetix is, obviously, only one of several measures required to attain a high level of Web application security, it's widely perceived as the best starting point. However, as the Invicti AppSec Indicator shows, having a DAST tool is not enough. Having efficient vulnerability assessment and vulnerability management (also available in Acunetix) is not enough, either.

What is needed is the realization that Web application security vulnerabilities should be prioritized over other types of vulnerabilities. What is needed is efficient transformation of Web application security from being owned by security teams to being owned by development teams instead. A security shift left is not just a trend to follow. It's a necessity.

The slow improvement over the years, culminating in 2020 by a reverse trend, is the best proof that businesses are actually struggling to rectify their Web application security situation. It means that either developers keep introducing nearly as many new vulnerabilities as the ones already fixed, or (more probable) they don't focus on eliminating the vulnerabilities that are already present, even the easiest-to-rectify ones such as SQL injections.

It's time to take action. Time to consider including DAST security scans as early as possible so that developers can't commit code with major vulnerabilities. Time to not only bring back the slow improvement trend but make bolder steps toward eliminating major threats. Time to make Web application security your priority.

About the Author

Leading the team behind the explosive development of Acunetix since 2016, Nicholas Sciberras is responsible for fronting lots of innovations in the product, which are unique to the Web application security industry. Under his technical leadership, the product keeps reaching new heights. Privately, Nicholas is not easily found behind a desk but rather on a hike through tough Mediterranean terrain full of flash flood gullies, dry-stone walls, thyme, olive trees, and prickly pears or on a motorbike tour around Europe with nothing but a lightly packed rucksack and basic camping equipment.