Government organizations and educational institutions, in particular, are increasingly in the crosshairs of hackers as serious web vulnerabilities continue to rise upwards.
Remote code execution (RCE), cross-site scripting (XSS), and SQL injection (SQLi) are all top software offenders. All three keep rising or hovering around the same alarming numbers year after year.
RCE, often the end target of a malicious attacker, was the main cause of the IT scam in the wake of the Log4Shell exploit. This vulnerability has seen a steady increase since 2018.
Enterprise security firm Invicti last month released its Spring 2022 AppSec Indicator report, which revealed Web vulnerabilities from more than 939 of its customers worldwide. The findings come from an analysis of the Invicti AppSec platform’s largest dataset — which has more than 23 billion customer application scans and 282,000 direct-impact vulnerabilities discovered.
Research from Invicti shows that one-third of both educational institutions and government organizations experienced at least one incident of SQLi in the past year. Data from 23.6 billion security checks underscores the need for a comprehensive application security approach, with governments and education organizations still at risk of SQL injection this year.
Data shows that many common and well-understood vulnerabilities in web applications are on the rise. It also shows that the current presence of these vulnerabilities presents a serious risk to organizations in every industry.
According to Mark Rawls, President and COO of Invicty, even well-known vulnerabilities are still prevalent in web applications. To ensure that security is part of the DNA of an organization’s culture, processes and tooling, organizations must gain command of their security posture so that innovation and security work together.
“We’ve seen the most serious web vulnerabilities continue to grow, either stable or increasing in frequency, over the past four years,” Ralls told TechNewsWorld.
Rawls said the most surprising aspect of the research was the rapid rise in incidence of SQL injections among government and education organizations.
Particularly troubling is SQLi, which has increased frequency by five percent over the past four years. This type of web vulnerability allows malicious actors to modify or change the queries an application sends to its database. This is of particular concern to public sector organizations, which often store highly sensitive personal data and information.
RCE is the crown jewel for any cyber attacker and is the driver behind last year’s Log4Shell program. This is also an increase of five percent since 2018. XSS saw a six percent increase in frequency.
“These trends were echoed throughout the report’s findings, revealing a worrying situation for cybersecurity,” Rawls said.
Skill gap, lack of talent included
Another big surprise for researchers is the increase in the number of vulnerabilities reported from organizations that scan their assets. There can be many reasons. But the lack of software trained in cyber security is a major culprit.
“Developers, in particular, may need more education to avoid these errors. We have noticed that vulnerabilities are not being discovered during scanning, even in the early stages of development,” Rawls explained.
When developers don’t address vulnerabilities, they put their organizations at risk. He said automation and integration tools can help developers address these vulnerabilities more quickly and reduce potential costs to the organization.
Don’t Blame Web Apps Alone
Web apps aren’t getting any less secure per sec. It’s a matter of developers being tired, overworked and often not having enough experience.
Often, organizations hire developers who lack the necessary cyber security background and training. According to Rawls, with the continuing effort towards digital transformation, businesses and organizations are digitizing and developing apps for more aspects of their operations.
“In addition, the number of new web applications entering the market every day means that every additional app is a potential vulnerability,” he said. For example, if a company has ten applications, it is less likely to have one SQLi than if the company has 1,000 applications.
Business teams – whether developing or using software – require both the right paradigm and the right technologies. This involves prioritizing a secure design model covering all base and baking security in the pre-code processes behind the application architecture.
“Break up the silos between teams,” Rawls advised. “Particularly between security and development – and make sure organization-wide norms and standards are in place and created universally.”
With regard to investing in AppSec tools to stem the rising tide of faulty software, Ralls recommends using robust tools:
- Automate as much as possible;
- Integrate seamlessly into existing workflows;
- Provide analysis and reporting to show evidence of success and where more work needs to be done.
Don’t overlook the importance of accuracy. “Tools with low false-positive rates and clear, actionable guidance for developers are essential. Otherwise, you waste time, your team won’t embrace the technology, and your security posture won’t improve,” he concluded.
partially blind spot on play
Rall said critical breaches and dangerous vulnerabilities continue to expose the organizations’ blind spots. For proof, see Log4Shell’s tornado effects.
Businesses around the world scrambled to test whether they were susceptible to RCE attacks in the widely used Log4j library. Some of these risks are increasing in frequency when they should go away for good. It comes down to a disconnect between the reality of risk and the strategic mandate for innovation.
“It is not always easy to get everyone on board with security, especially when it appears that security is holding individuals back from project completion or would be too costly to set up,” Rawls said.
An increasing number of effective cyber security strategies and scanning technologies can reduce persistent threats and make it easier to bridge the gap between security and innovation.