Despite years topping vulnerability lists, SQL injection and cross-site scripting errors (XSS) remain the bane of security teams, according to a new report by a penetration-testing-as-a-service company.
The report by BreachLock, based on 8,000 security tests performed in 2021, organizes its findings based on risk. Critical risk findings pose a very high threat to a company’s data. High risks could have a catastrophic effect on an organization’s operations, assets or individuals. Medium risks could have an adverse impact on operations, assets or individuals.
More than a third of the critical risks found in web applications (35%) can be attributed to injection or data exposure, which the report noted is a matter of concern because of the number of applications being hosted on the internet is growing with the increase in digitalization among organizations.
“Despite SQL injection being such a common vulnerability for years, I’m surprised to see it is still as common as it was in 2014, 2015. More than 27% of our findings are SQL injection findings,” says BreachLock Vice President of Products Prateek Bhajanka.
Adoption of DevSecOps improving application security
Even more alarming, according to the report, is that more than 50% of the high-risk findings found in web apps could be pegged to cross-site scripting errors. The report explained that developers often take the “deny list” approach to data validation over the “allow list” approach, which leads to new data exploiting cross-site scripting vulnerabilities.
Nevertheless, critical and high findings for web apps represent only 5% of all findings for the category. These data insights re-affirm that web application security, especially with the adoption of DevSecOps, is resulting in improved application security, the report claimed.
When analyzing the infrastructure of organizations, BreachLock found a greater percentage of critical and high vulnerabilities in their internal infrastructure (more than 15%) compared to their external infrastructure (more than 9%). That indicates, the report noted, that organizations impose greater rigor in managing external-facing vulnerabilities than internal ones.
The report cautioned that cyber threats don’t only come from external facing assets. Internal systems can be breached using phishing emails and stolen credentials to elevate privileges and move laterally within a network.
Smaller organizations more vulnerable
Critical and high findings were low in mobile apps, just over 7% for Android apps and close to 5% for iOS programs. Among the most common high and critical errors in mobile apps identified in the report were hard-coded credentials into apps. Using these credentials, attackers can gain access to sensitive information, the report explained.
More than 75% of the errors found in APIs were in the low category. However, the report warns that low risk doesn’t equate to no risk. Threat actors don’t consider the severity of the findings before they exploit a vulnerability, it warned. Among the highest critical risks found in APIs were function-level controls missing (47.55%) and Log4Shell vulnerabilities (17.48%).
Of all high and critical findings across companies, the report noted, 87% were found in organizations with fewer than 200 employees. The report identified several reasons for that, including cybersecurity being an afterthought in relatively small organizations; a dearth of bandwidth, security know-how, and staffing; a lack of security leadership and budget; and the speed of business overpowering the need of doing business securely.
The report also analyzed average times for mitigating critical and high findings by business vertical, finding the highest times in the manufacturing (101 days) and healthcare sectors (95.56 days) and lowest times in the automotive (30 days) and professional services (33 days) sectors.
Bhajanka hopes organizations will be able to use the findings in the report to improve their cybersecurity posture. “They will be able to see whether they are doing better than global peers in the industry or doing worse,” he observes. “If they’re doing worse, it should be an alarm for them.”
Copyright © 2022 IDG Communications, Inc.
