Government organizations and educational institutions, in particular, are increasingly in the crosshairs of hackers as serious web vulnerabilities soar.
Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection (SQLi) are all major software offenders. All three are increasing or hovering around the same alarming numbers year after year.
The RCE, often the ultimate goal of a malicious attacker, was the main cause of IT slippage following the Log4Shell exploit. This vulnerability has seen a steady increase since 2018.
Enterprise security firm Invicti released its Spring 2022 AppSec Indicator report last month that revealed web vulnerabilities for more than 939 of its customers worldwide. The findings come from an analysis of the largest data set in the Invicti AppSec platform – with over 23 billion client application scans and 282,000 direct impact vulnerabilities discovered.
Invicti research shows that a third of educational institutions and government organizations experienced at least one occurrence of SQLi in the last year. Data from 23.6 billion security checkpoints underscores the urgent need for a comprehensive approach to application security, with government and education organizations still at risk from SQL injection this year.
Data shows that many common and well-understood vulnerabilities continue to proliferate in web applications. It also shows that the continued presence of these vulnerabilities poses a serious risk to organizations across all industries.
Even well-known vulnerabilities are still present in web applications, according to Invicti President and COO Mark Ralls. Organizations need to master their security posture to ensure that security is part of the DNA of an organization’s culture, processes, and tools so that innovation and security work together.
“We have seen that the most severe web vulnerabilities continue to thrive, either remaining stable or increasing in frequency over the past four years,” Ralls told TechNewsWorld.
Key points to remember
The rampant escalation of SQL injection incidents seen among government and educational organizations was the most surprising aspect of the research, Ralls noted.
The SQLi, whose frequency has increased by 5% over the past four years, is particularly troublesome. This type of web vulnerability allows malicious actors to modify or override the requests that an application sends to its database. This is of particular concern for public sector organisations, which often store highly sensitive personal data and information.
RCEs are the crown jewel for any cyberattacker and the vehicle for last year’s Log4Shell event. It has also increased by 5% since 2018. XSS has seen its frequency increase by 6%.
“These trends were echoed in the report’s findings, revealing a worrying situation for cybersecurity,” Ralls said.
Skills gap, talent shortage implied
Another big surprise for researchers is the increase in the number of vulnerabilities reported by organizations scanning their assets. Many reasons can cause this. But the lack of software developed and trained in cybersecurity is one of the main culprits.
“Developers, in particular, may need more education to avoid these errors in the first place. We have seen that vulnerabilities are not discovered even in the early stages of development during analysis,” Ralls explained. .
When developers don’t fix vulnerabilities, they end up putting their organization at risk. Having automation and integration tools in place can help developers address these vulnerabilities faster and reduce potential costs to the organization, he added.
Don’t Blame Web Apps Alone
Web applications themselves do not become less secure. It’s more a question of tired, overworked and often not experienced enough developers.
Often, organizations hire developers who lack the necessary cybersecurity knowledge and training. With the continued push toward digital transformation, businesses and organizations are digitizing and building apps for more aspects of their operations, according to Ralls.
“Additionally, the number of new web applications hitting the market every day means that each additional application is a potential vulnerability,” he said. For example, if a company has ten applications, it is less likely to have an SQLi than if a company has 1,000 applications.
Apply the cure
Business teams, whether developing or using software, need both the right paradigm and the right technologies. This involves prioritizing secure design patterns that cover all the bases and building security into the pre-coding processes behind application architecture.
“Break down silos between teams,” Ralls advised. “Particularly between security and development – and ensure organization-wide norms and standards are in place and universally adhered to.”
When it comes to investing in AppSec tools to stem the rising tide of faulty software, Ralls recommended using robust tools that:
- automate as much as possible;
- integrates seamlessly into existing workflows;
- provide analysis and reports to show proof of success and where more work is needed.
Don’t overlook the importance of precision. “Tools with low false positive rates and clear, actionable guidance for developers are needed. Otherwise, you’re wasting time, your team won’t adopt the technology, and your security posture won’t be better,” he concluded.
Blind spots partially in play
Significant flaws and dangerous vulnerabilities continue to expose organizations’ blind spots, Ralls added. For proof, look at the swirling effects of Log4Shell.
Companies around the world rushed to check if they were susceptible to RCE attacks in the widely used Log4j library. Some of these risks are increasing in frequency when they should definitely disappear. It boils down to a disconnect between the reality of risk and the strategic innovation mandate.
“It’s not always easy to get everyone on board with security, especially when it looks like security is holding people back from completing the project or will be too expensive to implement,” Ralls said.
The growing number of effective cybersecurity strategies and scanning technologies can reduce the frequency of persistent threats and help close the gap between security and innovation.