Web App Vulnerabilities Decline 25% in 12 Months

  /     /     /  
Publicated : 22/11/2024   Category : security


Web App Vulnerabilities Decline 25% in 12 Months


WhiteHat Securitys annual Web app report shows the average number of vulns in a Web app is down from four to three.



Despite the number of vulnerabilities found in a single Web application falling by 25% in 2016 over the previous year, the number of exploitable flaws remains too high, according to WhiteHat Securitys 12
th
Annual Application Security Statistics Report released today.
The average number of vulnerabilities found in a Web application fell to three from four, says Ryan OLeary, vice president of WhiteHat Securitys Threat Research Center and Technical Support. Ideally that figure should be zero, however, he says.
Three sounds like a low number but even one vulnerability can be exploited and give attackers access to your credit card information or other personal information. It only takes one vulnerability to create a huge issue for a company, says OLeary.
WhiteHat, which gleaned the data from 15,000 Web applications it monitors and more than 65,600 mobile apps, also crunched the numbers on the days it takes to fix critical and high-risk vulnerabilities as well as the types of vulnerabilities that are the most prevalent on mobile devices and on the Web.
According to the report, the average time it takes to fix a high-risk vulnerability after its discovery is 196 days – 25 days longer than the average of 171 days in 2015.
The reason its taking longer to fix high-risk vulnerabilities is likely due to software developers switching over to an Agile software development process from the older, traditional waterfall method, OLeary says. While theres typically a chunk of time at the end of a waterfall project to fix vulnerabilities, there are smaller slivers of time to fix exploitable flaws under the Agile method, OLeary explains.
As a result, software developers tend to want to fix the easiest vulnerabilities first under an Agile method and that usually means the more complex vulnerabilities get left behind, and those are usually also high-risk flaws, OLeary says.
But critical vulnerabilities, such as those that can lead to a total compromise of a server, database, or sensitive information, are usually slotted in and addressed at the prompting of a CISO or business leader -- even under an Agile software development process, says OLeary.
Fixing critical vulnerabilities improved in 2016, taking an average of 129 days, compared with 146 days in the previous year, the report found.
Where the Vulns Are
When it comes to mobile apps, the top three Android app categories where vulnerabilities were found included news, games, and lifestyle apps, according to the report. And for the iOS platform, vulnerabilities were the most prevalent in news, music, and finance apps.
The most common type of vulnerability for mobile apps, whether Android or iOS, is the communication that occurs between the mobile device itself and the backend server, OLeary says. The vulnerability resides in the secure transportation of the data from the device to the backend server.
For Web apps, approximately 60% of applications are always vulnerable in the utilities, education, accommodations, retail, and manufacturing industries, the
report
found. The always vulnerable status means that WhiteHat was able to find at least one vulnerability in the app every minute of the day during the 12 months it collected data for the report.
Web apps continue to suffer from two major vulnerabilities that seem to have existed forever, OLeary says, cross-site scripting (XSS) and information leakage.
The most common type of Web app is XSS, regardless of the industry. People have known about it forever but cant seem to fix it, he says.
Information leakage, meanwhile, often is the result of software developers leaving comments in their code, for example, he says. That information is made public when the app is launched and can ultimately provide attackers with enough information to aid them to launch an attack, OLeary says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the
conference schedule
 and
to register.
 
One of the new vulnerabilities that has emerged over the last couple of years is insufficient transport layer security (TLS) protection, says OLeary. He noted Heartbleed was the first to take advantage of the open TLS handshake that occurs as information is passed from the browser to the server.
In 2012, you didnt see much of vulnerabilities in the transport layer but after Heartbleed, it set off a bunch of these types of vulnerabilities, he notes.
Software developers, who have increasingly relied on third-party and open source librarie, should double-check for patches for those libraries before using them in their apps, OLeary advises.
Before, development was about building code from start to finish. But now, developers use open source and third party libraries and its scary to think that they dont even know the [security level] of what they are importing, OLeary says.
Related Content:
SSL After The Heartbleed
A Temperature-Check On The State Of Application Security
The New Shadow IT: Custom Data Center Applications
Android Security Apps for BYOD Users

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Web App Vulnerabilities Decline 25% in 12 Months