Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/9/2019
07:55 PM
Robert Lemos
Robert Lemos
News
50%
50%

Web Vulnerabilities Up, IoT Flaws Down

The number of flaws found in WordPress and its associated plugins have tripled since 2017, while Internet of Things vulnerabilities dropped significantly, according to data collected by Imperva.

The total number of vulnerabilities in Web applications reported by researchers jumped to 17,142 in 2018, climbing more than 21% compared to the previous year and driven in part by the large number of flaws found in Web applications and application programming interfaces. 

Popular content management system (CMS) WordPress had the most reported vulnerabilities, with 542. WordPress has a large ecosystem that includes more than 54,000 plug-ins: those same third-party plugins accounted for almost all—98%—of the Web security issues found by researchers last year, according to Web security firm Imperva, which published its findings in a report this week.  

That popularity and extensibility makes WordPress popular with Web developers but also with online attackers, says Nadav Avital, research manager for threat analytics at Imperva.

"These make WordPress a lucrative asset that many hackers set their eyes upon—any security hole they may be able to find and exploit can lead to a mass infection," he says.

On the Rise

According to the National Vulnerability Database, the number of publicly disclosed overall vulnerabilities (not just in Web apps) jumped significantly in 2017, jumping more than 127% to 14,649 disclosed issues, after more than a decade of varying between 5,000 and 8,000 annual reports. Increases in the development of online applications, the use of open-source components, and more rigorous security testing are all likely contributing factors for the increase.

"It is somewhat expected that the overall number of vulnerabilities rises year after year," Imperva's Avital says. "Each year there are more products—new and legacy—to check and more sophisticated tools to check them with."

According to the NVD, the number of overall reported vulnerabilities continued to climb in 2018, increasing nearly 13% to more than 16,500. Other organizations tracking more specific classes of security flaws have seen similar increases: the number of vulnerabilities in open-source components, for example, has increased 51% to more than 3,200 documented issues, according to software-security firm WhiteSource Software.

"We definitely see a lot of growth in terms of the number of vulnerabilities associated with modern applications," said David Habusha, vice president of products at WhiteSource. "The attackers are focused on front-end facing Web servers, content management platforms, and Internet of Things."

While WordPress accounted for more than 500 vulnerabilities, another content management system, Drupal, had two of the most attacked vulnerabilities, Imperva found. 

In terms of vulnerability classes, however, issues that allow commands to be run via another application—often referred to as injection attacks—accounted for 3,294 flaws, according to the report. Remote command execution accounted for the largest portion of vulnerabilities, with 1,980. 

IoT Vulns Dropped

While Web applications appear to be increasingly targeted, another major focus of vulnerability research—the Internet of Things—appeared to fare pretty well in 2018, according to the Imperva report. The number of vulnerabilities found in IoT devices and software fell to its lowest level in three years. 

The increasing interest in in developing security standards and best practices has likely prompted vendors to invest more in security, Imperva's Avital says.

"While fewer vulnerabilities were found in IoT products, it does not mean that IoT is safe from cyberattackers," he says. "While new IoT products may be more secure, many IoT vendors still don't push security updates and if they did, it isn't clear how to update or if they can even be deployed as some devices cannot be taken offline."

Companies need to automate both their scanning for vulnerabilities and use agile develop methodologies to fix security issues as early in the software-development cycle as possible, says Dan Cornell, chief technology officer for the Denim Group, a software-security firm.

"I think we are still at the saturation point, where organizations have a much greater focus on the detection of vulnerabilities over the remediation od vulnerabilities," Cornell says. "People are still doing a lot of testing, but they still are not fixing enough." 

To fix vulnerabilities and reduce the number of issues that actually make it in production, code-checking software can help developers take a greater role in securing the software as it is written.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/10/2019 | 9:26:26 AM
On Wordpress
This is a sinkhole of a web page provider - almost all of our internet page issues come from Webpress sponsored sites and I really think it should be avoided whenever possible if not just abolished entirely.  There is no trust in their controls and/or features.  Assume if you sponsor through this one, your data will be hacked in short order. 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.