Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

The Web App Security Gap

Attacks on applications quickly evolve in intelligence, but most enterprises' Web application security strategies are still stuck in the primordial ooze

There are about 92 million sites on the World Wide Web, according to industry estimates. How many of them have been audited by a third party for application security vulnerabilities?

"I'd say maybe 10,000," says Jeremiah Grossman, CTO and founder of WhiteHat Security, who also is a member of the board for the Web Application Security Consortium. "And that's pushing it."

All over the industry, application security experts are warning IT and security departments that the gap is growing between today's rapidly-evolving app-oriented exploits and the still-nascent defenses that most enterprises have in place. Yet, so far, most enterprises are moving at a snail's pace.

"I think a lot of people just don't understand the scope of the problem," says Mike Weider, CTO and founder of Watchfire, which makes one of the industry's oldest and best-selling tools for applications scanning. "In some cases, they have 1,000 Web apps or more, and those applications are changing daily. They may have checked for vulnerabilities in a few of those apps, but any of them could lead to a breach."

Industry statistics indicate that the experts are not just whistling Dixie. WhiteHat Security estimates that seven or eight out of every ten Websites are hosting at least one serious vulnerability that could put its data at risk. Gartner has estimated that figure at closer to 90 percent.

Attackers, meanwhile, have spotted the weak spot and are going after it. Symantec currently estimates that about 78 percent of all attacks are taking place at the Web application level. Last month's report from Mitre, which tracks common vulnerabilities and exposures across the Web, indicates that application-level attacks such as cross-site scripting and SQL injection have supplanted exploits such as buffer overflow as the favorite vectors for Web attacks. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

Yet most enterprises still do not own a Web application firewall, and many don't yet do any application scanning, experts say. Many enterprises have never had a third party audit their apps for vulnerabilities -- in fact, many large enterprises don't even know how many Websites they operate, they say.

"One of the first things [WhiteHat] does when we go to a client site is find out where the sites are and who controls them," Grossman says. "A lot of companies are surprised to see how many sites they've got and how many Web apps they are really supporting."

Once they've got a handle on the scope of the problem, many organizations are unsure about how to solve it, experts say. The chief problem is there is no single tool that can find and fix all of the vulnerabilities. Web application firewalls protect against some threats, but they also let others through. App scanning tools can find many vulnerabilities, but they are far from 100 percent effective.

"There's a lot of detection that can only be done manually at this point," says Grossman. And many organizations are still unsure whether this sort of detection should be done by the IT security staff or by the developers who wrote the applications in the first place.

"Ultimately, you want to build the vulnerability scanning and testing phase into your development process, just as you do [quality assurance]," Weider says. "That's the only way to ensure that you're checking all of the applications that you're putting out there."

Realistically, however, enterprises should be more concerned about the applications they've already deployed than about revamping their QA process. "There are 92 million sites already out there," Grossman says. "It makes more sense to start backwards and check the apps that are exposed."

Enterprises should attack the problem first by identifying all their sites and the applications running on them, experts say. An audit by a third-party expert and a scan by a vulnerability scanning tool can give the enterprise a starting point for remediation. But even taking both of those steps will not eliminate all of the vulnerabilities.

"It's going to take some time to ferret out all of the vulnerabilities," Grossman says. "That's one reason why organizations need to get started."

— Tim Wilson, Site Editor, Dark Reading

  • Symantec Corp. (Nasdaq: SYMC)
  • Watchfire Corp.
  • WhiteHat Security

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Ransomware Damage Hit $11.5B in 2019
    Dark Reading Staff 2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-5243
    PUBLISHED: 2020-02-21
    uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
    CVE-2019-14688
    PUBLISHED: 2020-02-20
    Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
    CVE-2019-19694
    PUBLISHED: 2020-02-20
    The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
    CVE-2020-5242
    PUBLISHED: 2020-02-20
    openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
    CVE-2020-8601
    PUBLISHED: 2020-02-20
    Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.