Despite years topping vulnerability charts, SQL injection and cross-site scripting (XSS) bugs remain the bane of security teams. according to a new report by a penetration testing company as a service.
Based on 8,000 security tests conducted in 2021, the BreachLock report organizes its findings by risk. Critical risk findings pose a major threat to a company’s data. Elevated risks could have a catastrophic effect on an organization’s operations, assets, or people. Medium risks could have an adverse impact on operations, assets or people.
More than a third of critical risks found in web applications (35%) can be attributed to data injection or data exposure, which the report says is a cause for concern given that the number of web-hosted applications Internet grows with the increase. in digitization among organizations.
“Even though SQL injection was such a common vulnerability for years, I am surprised to see that it is still as common as it was in 2014 and 2015. More than 27% of our findings are SQL injection findings,” says the Vice President of Products at BreachLock. Prateek Bhajanka.
Aadoption of DevSecOps improving application security
Even more alarming, according to the report, is that more than 50% of high-risk findings found in web applications could be linked to cross-site scripting errors. The report explains that developers often take the “deny list” approach to data validation over the “allow list” approach, leading to new data exploiting cross-site scripting vulnerabilities.
However, critical and high findings for web applications represent only 5% of all findings in the category. These data insights reaffirm that web application security, especially with the adoption of DevSecOps, is resulting in improved application security, the report states.
When analyzing organizations’ infrastructure, BreachLock found a higher percentage of high and critical vulnerabilities in their internal infrastructure (over 15%) compared to their external infrastructure (over 9%). This indicates, the report noted, that organizations impose greater rigor in the management of external vulnerabilities than internal ones.
The report warned that cyber threats don’t just come from external assets. Internal systems can be breached using phishing emails and stolen credentials to elevate privileges and move laterally within a network.
Smaller organizations are more vulnerable
Critical and high findings were low for mobile apps, at just over 7% for Android apps and close to 5% for iOS programs. Among the most common high and critical bugs in mobile apps identified in the report are encrypted credentials in apps. Using these credentials, attackers can gain access to sensitive information, the report explains.
More than 75% of the errors found in the APIs were in the low category. However, the report warns that low risk does not equate to no risk. Threat actors don’t consider the severity of findings before exploiting a vulnerability, she warned. Among the highest critical risks found in APIs were lack of function-level controls (47.55%) and Log4Shell vulnerabilities (17.48%).
Of all high and critical findings in companies, the report noted, 87% were found in organizations with fewer than 200 employees. The report identified several reasons for this, including cybersecurity as an afterthought in relatively small organizations; a shortage of bandwidth, security skills, and staff; lack of security leadership and budget; and the speed of business outweighing the need to do business securely.
The report also analyzed the average mitigation times for critical and high findings by business vertical, finding the highest times in the manufacturing (101 days) and health (95.56 days) sectors and the lowest times in the automotive sectors (30 days). days) and professional services (33 days). ) sectors.
Bhajanka hopes organizations can use the report’s findings to improve their cybersecurity posture. “They will be able to see if they are doing better than their global peers in the industry or if they are doing worse,” she observes. “If they’re doing worse, it should be an alarm for them.”
Copyright © 2022 IDG Communications, Inc.