Businesses Reeling from ‘Awful’ Year for Web App Security
That’s according to a new report by Imperva, which says web app security was “just as awful” last year as a “disastrous” 2017. Web-app vulnerabilities jumped 21 percent last year compared to 2017, and a whopping 159 percent since 2016.
Nadav Avital, Imperva’s research manager of threat analytics, tells us security providers need to offer advanced web application firewall solutions to allow customers to adequately protect their assets.
“Additionally, because 38 percent of the vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch, MSSPs need to provide a variety of security solutions to allow customers to attain ‘security in depth,'” he said.
Vulnerabilities such as SQL injection, command injection, object injection and others continued increasing last year. Injection flaws allow attackers to relay malicious code through an application to another system.
“Injection vulnerabilities will continue to grow mainly because of the economic implications to attackers (making fast money), while more vulnerabilities in APIs will be discovered as DevOps become a crucial factor in IT and its usage and demand increases,” Avital said.
On the content management system (CMS) front, WordPress vulnerabilities increased by 30 percent since last year, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category. Not surprisingly, 98 percent of WordPress vulnerabilities are related to plugins, which extend the functionality and features of a website or a blog.
Anyone can create a plug-in and publish it, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis); hence, WordPress plug-ins are prone to vulnerabilities, according to the report.
Although WordPress leads the pack in sheer attack numbers, Drupal vulnerabilities had a larger effect and were used in mass attacks that targeted hundreds of thousands of sites during 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations.
Terry Ray, Imperva’s chief technology officer, said with the expanding use of APIs and challenges in detecting attacks against them, attackers will continuing taking aim at APIs as a great target for a host of different threats, especially brute-force attacks, app impersonation, phishing and code injection.
“The decline in IoT vulnerabilities is one silver lining,” Avital said. “2018 bared good news for the IoT industry as more organizations are showing interest in developing security standards and best practices; for example, the U.S. National Institute of Standards and Technology (NIST) announced in May 2018 that it is working to develop [an] IoT security standard. In addition, the Open Web Application Security Project (OWASP) released the new list of top 10 risks in IoT. These are all signs that the IoT industry, and in turn IoT vendors, is investing more in security.”