Vulnerabilities / Threats

2/22/2017
09:30 AM
50%
50%

80% Of Web Applications Contain At Least One Security Bug

Study by Contrast Security finds an average of 45 vulnerabilities per Web application.

A new study on Web application vulnerabilities by security software firm Contrast Security shows that sensitive data exposure affects 69% of these applications and is responsible for 26% of all vulnerabilities.

Some 80% of applications contain at least one flaw, with an average of 45 vulnerabilities per application: 55% are affected by cross-site request forgery and 37% suffered from security misconfiguration.

"All of these vulnerabilities have been documented in the OWASP (Open Web Application Security Project) Top Ten for over a decade, yet they're obviously still a major problem," said Jeff Williams, co-founder and CTO of Contrast Security.

On comparing application vulnerabilities across Java and .NET, researchers discovered that cross-site request forgery had a higher occurrence rate in Java applications (69%) as compared to .NET (31%). Additionally, .NET applications suffered from fewer injection flaws (17%) than Java (38%).

"Insecure code has become the leading security risk and, increasingly, the leading business risk as well," Williams said.

The full survey is here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TylerS27501
50%
50%
TylerS27501,
User Rank: Author
11/21/2017 | 3:38:18 PM
80% Of Code
If this is true the real quesetion is why are enterprises still spending 80% of their security spend on network security and leaving the application layer so vulnerable to attack?
Jet Hedon
50%
50%
Jet Hedon,
User Rank: Apprentice
2/23/2017 | 3:04:48 PM
Re: 80%?
Haha agreed
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
2/22/2017 | 11:22:51 AM
80%?
80%?  I think you are 20.5% low from my experience.
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
The Single Cybersecurity Question Every CISO Should Ask
Arif Kareem, CEO, ExtraHop,  4/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11320
PUBLISHED: 2019-04-18
In Motorola CX2 1.01 and M2 1.01, users can access the router's /priv_mgt.html web page to launch telnetd, as demonstrated by the 192.168.51.1 address.
CVE-2019-11321
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router opens TCP port 8010. Users can send hnap requests to this port without authentication to obtain information such as the MAC addresses of connected client devices.
CVE-2019-11322
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value.
CVE-2019-8999
PUBLISHED: 2019-04-18
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
CVE-2018-17168
PUBLISHED: 2019-04-18
PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. For example, an administrator, by following a link, can be tricked into making unwanted changes to a printer (Disable, Approve, etc).