Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

The Web App Security Gap

Attacks on applications quickly evolve in intelligence, but most enterprises' Web application security strategies are still stuck in the primordial ooze

There are about 92 million sites on the World Wide Web, according to industry estimates. How many of them have been audited by a third party for application security vulnerabilities?

"I'd say maybe 10,000," says Jeremiah Grossman, CTO and founder of WhiteHat Security, who also is a member of the board for the Web Application Security Consortium. "And that's pushing it."

All over the industry, application security experts are warning IT and security departments that the gap is growing between today's rapidly-evolving app-oriented exploits and the still-nascent defenses that most enterprises have in place. Yet, so far, most enterprises are moving at a snail's pace.

"I think a lot of people just don't understand the scope of the problem," says Mike Weider, CTO and founder of Watchfire, which makes one of the industry's oldest and best-selling tools for applications scanning. "In some cases, they have 1,000 Web apps or more, and those applications are changing daily. They may have checked for vulnerabilities in a few of those apps, but any of them could lead to a breach."

Industry statistics indicate that the experts are not just whistling Dixie. WhiteHat Security estimates that seven or eight out of every ten Websites are hosting at least one serious vulnerability that could put its data at risk. Gartner has estimated that figure at closer to 90 percent.

Attackers, meanwhile, have spotted the weak spot and are going after it. Symantec currently estimates that about 78 percent of all attacks are taking place at the Web application level. Last month's report from Mitre, which tracks common vulnerabilities and exposures across the Web, indicates that application-level attacks such as cross-site scripting and SQL injection have supplanted exploits such as buffer overflow as the favorite vectors for Web attacks. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

Yet most enterprises still do not own a Web application firewall, and many don't yet do any application scanning, experts say. Many enterprises have never had a third party audit their apps for vulnerabilities -- in fact, many large enterprises don't even know how many Websites they operate, they say.

"One of the first things [WhiteHat] does when we go to a client site is find out where the sites are and who controls them," Grossman says. "A lot of companies are surprised to see how many sites they've got and how many Web apps they are really supporting."

Once they've got a handle on the scope of the problem, many organizations are unsure about how to solve it, experts say. The chief problem is there is no single tool that can find and fix all of the vulnerabilities. Web application firewalls protect against some threats, but they also let others through. App scanning tools can find many vulnerabilities, but they are far from 100 percent effective.

"There's a lot of detection that can only be done manually at this point," says Grossman. And many organizations are still unsure whether this sort of detection should be done by the IT security staff or by the developers who wrote the applications in the first place.

"Ultimately, you want to build the vulnerability scanning and testing phase into your development process, just as you do [quality assurance]," Weider says. "That's the only way to ensure that you're checking all of the applications that you're putting out there."

Realistically, however, enterprises should be more concerned about the applications they've already deployed than about revamping their QA process. "There are 92 million sites already out there," Grossman says. "It makes more sense to start backwards and check the apps that are exposed."

Enterprises should attack the problem first by identifying all their sites and the applications running on them, experts say. An audit by a third-party expert and a scan by a vulnerability scanning tool can give the enterprise a starting point for remediation. But even taking both of those steps will not eliminate all of the vulnerabilities.

"It's going to take some time to ferret out all of the vulnerabilities," Grossman says. "That's one reason why organizations need to get started."

— Tim Wilson, Site Editor, Dark Reading

  • Symantec Corp. (Nasdaq: SYMC)
  • Watchfire Corp.
  • WhiteHat Security

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    6 Small-Business Password Managers
    Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
    Unreasonable Security Best Practices vs. Good Risk Management
    Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-18885
    PUBLISHED: 2019-11-14
    fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.
    CVE-2019-18895
    PUBLISHED: 2019-11-14
    Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to privilege escalation via a Trojan horse executable file.
    CVE-2019-18957
    PUBLISHED: 2019-11-14
    Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.
    CVE-2019-16863
    PUBLISHED: 2019-11-14
    STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
    CVE-2019-18949
    PUBLISHED: 2019-11-14
    SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.