Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

The Web App Security Gap

Attacks on applications quickly evolve in intelligence, but most enterprises' Web application security strategies are still stuck in the primordial ooze

There are about 92 million sites on the World Wide Web, according to industry estimates. How many of them have been audited by a third party for application security vulnerabilities?

"I'd say maybe 10,000," says Jeremiah Grossman, CTO and founder of WhiteHat Security, who also is a member of the board for the Web Application Security Consortium. "And that's pushing it."

All over the industry, application security experts are warning IT and security departments that the gap is growing between today's rapidly-evolving app-oriented exploits and the still-nascent defenses that most enterprises have in place. Yet, so far, most enterprises are moving at a snail's pace.

"I think a lot of people just don't understand the scope of the problem," says Mike Weider, CTO and founder of Watchfire, which makes one of the industry's oldest and best-selling tools for applications scanning. "In some cases, they have 1,000 Web apps or more, and those applications are changing daily. They may have checked for vulnerabilities in a few of those apps, but any of them could lead to a breach."

Industry statistics indicate that the experts are not just whistling Dixie. WhiteHat Security estimates that seven or eight out of every ten Websites are hosting at least one serious vulnerability that could put its data at risk. Gartner has estimated that figure at closer to 90 percent.

Attackers, meanwhile, have spotted the weak spot and are going after it. Symantec currently estimates that about 78 percent of all attacks are taking place at the Web application level. Last month's report from Mitre, which tracks common vulnerabilities and exposures across the Web, indicates that application-level attacks such as cross-site scripting and SQL injection have supplanted exploits such as buffer overflow as the favorite vectors for Web attacks. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

Yet most enterprises still do not own a Web application firewall, and many don't yet do any application scanning, experts say. Many enterprises have never had a third party audit their apps for vulnerabilities -- in fact, many large enterprises don't even know how many Websites they operate, they say.

"One of the first things [WhiteHat] does when we go to a client site is find out where the sites are and who controls them," Grossman says. "A lot of companies are surprised to see how many sites they've got and how many Web apps they are really supporting."

Once they've got a handle on the scope of the problem, many organizations are unsure about how to solve it, experts say. The chief problem is there is no single tool that can find and fix all of the vulnerabilities. Web application firewalls protect against some threats, but they also let others through. App scanning tools can find many vulnerabilities, but they are far from 100 percent effective.

"There's a lot of detection that can only be done manually at this point," says Grossman. And many organizations are still unsure whether this sort of detection should be done by the IT security staff or by the developers who wrote the applications in the first place.

"Ultimately, you want to build the vulnerability scanning and testing phase into your development process, just as you do [quality assurance]," Weider says. "That's the only way to ensure that you're checking all of the applications that you're putting out there."

Realistically, however, enterprises should be more concerned about the applications they've already deployed than about revamping their QA process. "There are 92 million sites already out there," Grossman says. "It makes more sense to start backwards and check the apps that are exposed."

Enterprises should attack the problem first by identifying all their sites and the applications running on them, experts say. An audit by a third-party expert and a scan by a vulnerability scanning tool can give the enterprise a starting point for remediation. But even taking both of those steps will not eliminate all of the vulnerabilities.

"It's going to take some time to ferret out all of the vulnerabilities," Grossman says. "That's one reason why organizations need to get started."

— Tim Wilson, Site Editor, Dark Reading

  • Symantec Corp. (Nasdaq: SYMC)
  • Watchfire Corp.
  • WhiteHat Security

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    HackerOne Drops Mobile Voting App Vendor Voatz
    Dark Reading Staff 3/30/2020
    Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
    Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-11558
    PUBLISHED: 2020-04-05
    An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
    CVE-2020-11547
    PUBLISHED: 2020-04-05
    PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
    CVE-2020-11548
    PUBLISHED: 2020-04-05
    The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
    CVE-2020-11542
    PUBLISHED: 2020-04-04
    3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.
    CVE-2020-11533
    PUBLISHED: 2020-04-04
    Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).