The total number of vulnerabilities in Web applications reported by researchers jumped to 17,142 in 2018, climbing more than 21% compared to the previous year and driven in part by the large number of flaws found in Web applications and application programming interfaces.
Popular content management system (CMS) WordPress had the most reported vulnerabilities, with 542. WordPress has a large ecosystem that includes more than 54,000 plug-ins: those same third-party plugins accounted for almost all—98%—of the Web security issues found by researchers last year, according to Web security firm Imperva, which published its findings in a report this week.
That popularity and extensibility makes WordPress popular with Web developers but also with online attackers, says Nadav Avital, research manager for threat analytics at Imperva.
"These make WordPress a lucrative asset that many hackers set their eyes upon—any security hole they may be able to find and exploit can lead to a mass infection," he says.
On the Rise
According to the National Vulnerability Database, the number of publicly disclosed overall vulnerabilities (not just in Web apps) jumped significantly in 2017, jumping more than 127% to 14,649 disclosed issues, after more than a decade of varying between 5,000 and 8,000 annual reports. Increases in the development of online applications, the use of open-source components, and more rigorous security testing are all likely contributing factors for the increase.
"It is somewhat expected that the overall number of vulnerabilities rises year after year," Imperva's Avital says. "Each year there are more products—new and legacy—to check and more sophisticated tools to check them with."
According to the NVD, the number of overall reported vulnerabilities continued to climb in 2018, increasing nearly 13% to more than 16,500. Other organizations tracking more specific classes of security flaws have seen similar increases: the number of vulnerabilities in open-source components, for example, has increased 51% to more than 3,200 documented issues, according to software-security firm WhiteSource Software.
"We definitely see a lot of growth in terms of the number of vulnerabilities associated with modern applications," said David Habusha, vice president of products at WhiteSource. "The attackers are focused on front-end facing Web servers, content management platforms, and Internet of Things."
While WordPress accounted for more than 500 vulnerabilities, another content management system, Drupal, had two of the most attacked vulnerabilities, Imperva found.
In terms of vulnerability classes, however, issues that allow commands to be run via another application—often referred to as injection attacks—accounted for 3,294 flaws, according to the report. Remote command execution accounted for the largest portion of vulnerabilities, with 1,980.
IoT Vulns Dropped
While Web applications appear to be increasingly targeted, another major focus of vulnerability research—the Internet of Things—appeared to fare pretty well in 2018, according to the Imperva report. The number of vulnerabilities found in IoT devices and software fell to its lowest level in three years.
The increasing interest in in developing security standards and best practices has likely prompted vendors to invest more in security, Imperva's Avital says.
"While fewer vulnerabilities were found in IoT products, it does not mean that IoT is safe from cyberattackers," he says. "While new IoT products may be more secure, many IoT vendors still don't push security updates and if they did, it isn't clear how to update or if they can even be deployed as some devices cannot be taken offline."
Companies need to automate both their scanning for vulnerabilities and use agile develop methodologies to fix security issues as early in the software-development cycle as possible, says Dan Cornell, chief technology officer for the Denim Group, a software-security firm.
"I think we are still at the saturation point, where organizations have a much greater focus on the detection of vulnerabilities over the remediation od vulnerabilities," Cornell says. "People are still doing a lot of testing, but they still are not fixing enough."
To fix vulnerabilities and reduce the number of issues that actually make it in production, code-checking software can help developers take a greater role in securing the software as it is written.