Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

The Web App Security Gap

Attacks on applications quickly evolve in intelligence, but most enterprises' Web application security strategies are still stuck in the primordial ooze

There are about 92 million sites on the World Wide Web, according to industry estimates. How many of them have been audited by a third party for application security vulnerabilities?

"I'd say maybe 10,000," says Jeremiah Grossman, CTO and founder of WhiteHat Security, who also is a member of the board for the Web Application Security Consortium. "And that's pushing it."

All over the industry, application security experts are warning IT and security departments that the gap is growing between today's rapidly-evolving app-oriented exploits and the still-nascent defenses that most enterprises have in place. Yet, so far, most enterprises are moving at a snail's pace.

"I think a lot of people just don't understand the scope of the problem," says Mike Weider, CTO and founder of Watchfire, which makes one of the industry's oldest and best-selling tools for applications scanning. "In some cases, they have 1,000 Web apps or more, and those applications are changing daily. They may have checked for vulnerabilities in a few of those apps, but any of them could lead to a breach."

Industry statistics indicate that the experts are not just whistling Dixie. WhiteHat Security estimates that seven or eight out of every ten Websites are hosting at least one serious vulnerability that could put its data at risk. Gartner has estimated that figure at closer to 90 percent.

Attackers, meanwhile, have spotted the weak spot and are going after it. Symantec currently estimates that about 78 percent of all attacks are taking place at the Web application level. Last month's report from Mitre, which tracks common vulnerabilities and exposures across the Web, indicates that application-level attacks such as cross-site scripting and SQL injection have supplanted exploits such as buffer overflow as the favorite vectors for Web attacks. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

Yet most enterprises still do not own a Web application firewall, and many don't yet do any application scanning, experts say. Many enterprises have never had a third party audit their apps for vulnerabilities -- in fact, many large enterprises don't even know how many Websites they operate, they say.

"One of the first things [WhiteHat] does when we go to a client site is find out where the sites are and who controls them," Grossman says. "A lot of companies are surprised to see how many sites they've got and how many Web apps they are really supporting."

Once they've got a handle on the scope of the problem, many organizations are unsure about how to solve it, experts say. The chief problem is there is no single tool that can find and fix all of the vulnerabilities. Web application firewalls protect against some threats, but they also let others through. App scanning tools can find many vulnerabilities, but they are far from 100 percent effective.

"There's a lot of detection that can only be done manually at this point," says Grossman. And many organizations are still unsure whether this sort of detection should be done by the IT security staff or by the developers who wrote the applications in the first place.

"Ultimately, you want to build the vulnerability scanning and testing phase into your development process, just as you do [quality assurance]," Weider says. "That's the only way to ensure that you're checking all of the applications that you're putting out there."

Realistically, however, enterprises should be more concerned about the applications they've already deployed than about revamping their QA process. "There are 92 million sites already out there," Grossman says. "It makes more sense to start backwards and check the apps that are exposed."

Enterprises should attack the problem first by identifying all their sites and the applications running on them, experts say. An audit by a third-party expert and a scan by a vulnerability scanning tool can give the enterprise a starting point for remediation. But even taking both of those steps will not eliminate all of the vulnerabilities.

"It's going to take some time to ferret out all of the vulnerabilities," Grossman says. "That's one reason why organizations need to get started."

— Tim Wilson, Site Editor, Dark Reading

  • Symantec Corp. (Nasdaq: SYMC)
  • Watchfire Corp.
  • WhiteHat Security

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16860
    PUBLISHED: 2019-11-19
    Code42 app through version 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an ele...
    CVE-2019-16861
    PUBLISHED: 2019-11-19
    Code42 server through 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated ...
    CVE-2014-5118
    PUBLISHED: 2019-11-18
    A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
    CVE-2019-12422
    PUBLISHED: 2019-11-18
    Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
    CVE-2012-4441
    PUBLISHED: 2019-11-18
    Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.