On Tuesday at Infosecurity Europe 2017, web and mobile application security testing company High-Tech Bridge released a first-quarter report on application security trends. The report drew from data collected on the ImmuniWeb Application Security Testing Platform and High-Tech Bridge's free web security services, as well as other open sources.
Here are the main findings:
1. No end in sight for "Bug Bounty fatigue"
According to the report, "9 out of 10 web applications in the scope of a private or public bug bounty program, running for a year or longer, contained at least two high-risk vulnerabilities undetected by the crowd security testing."
Because understanding these bugs involves thorough research from crowd security testing platforms, which are paid for catching flaws, attackers often look first to newcomers to the market—often the most vulnerable. However, as illustrated by the fact that no one entered Google's Project Zero Prize, researchers are not likely to pursue projects for which they are not paid. To discourage researchers from sticking to this "easy-money" strategy, Qualys and BugCrowd joined up to employ researchers in the industry.
SEE: How to develop a bug bounty program (TechRepublic)
2. Enterprises are still vulnerable to breaches via mobile backends
A great majority of mobile apps in banking and retail—83%—have a mobile backend (web services and APIs) that is susceptible to a security breach, according to the report. These vulnerabilities mostly arise from inadequate authorization measures. The report says that "various injections, mainly represented by SQL and XML injections, are also quite common, aggravated by a frequently missing WAF on the mobile backend."
3. Mobile applications are not as vulnerable to risks as the hype suggests
According to the report, nearly all vulnerabilities in mobile app code—95%—are not susceptible to a major breach. The most common vulnerability is "insecure, or cleartext storage of sensitive or authentication data on a mobile device," the report stated. After that, the next most popular susceptibility is "insecure, or otherwise unreliable, components used in the application code putting mobile phone privacy at risk." Mobile communications are also vulnerable, and must be secured with a mobile backend, (APIs and Web Services), in order to prevent sensitive data to be intercepted.
4. IoT devices' web interfaces and panels are at risk
The Internet of Things (IoT) is another area rife with security risks: According to the report, "nearly all (98%) of web interfaces and administrative panels of various IoT devices had fundamental security problems." Among these include hardcoded and unmodifiable admin credentials, outdated software (such as web servers) without any means to update it, lack of HTTP traffic encryption, and several critical vulnerabilities in the interface.
SEE: How the DoD uses bug bounties to help secure the department's websites (TechRepublic)
5. Humans represent a weak link in DevSecOps
In two-thirds of companies with a DevSecOps strategy, at least one critical vulnerability was discovered due to human error, such as a secure web app being located on a database backup or easily-discovered location, the report stated. According to the report, "the bigger the organization is, the more complicated it is to prevent such incidents, as numerous data and process owners change their decisions and requirements much faster than IT has time to properly adopt them, following internal processes."
6. Most popular vulnerabilities: XSS, CSRF and information disclosure
The Open Web Application Security Project (OWASP)'s Top Ten vulnerabilities still include these three as major risks for the enterprise, the report stated. In the financial, insurance, and retail industries, they are lower risk—accounting for around 60% of flaws. According to the report, "thorough and mature security testing, greater security awareness, compliance and regulatory requirements in these industries can probably explain this disparity."
SEE: Job description: Security Architect (Tech Pro Research)
7. Vulnerabilities such as XSS are more difficult to catch
Some 53% of simple flaws from the OWASP Top Ten, according to the report, cannot be found by tools like vulnerability scanners and other fully automated solutions. "For example, many [at a first glance] simple XSS flaws require a valid client ID or Google's reCAPTCHA, or is only reproducible with a long set of other valid HTTP parameters. Moreover, complicated authentication systems (e.g. using 2FA and session expiration in case of abnormal behavior) preclude vulnerability scanners from testing the authenticated part of the applications." In other words, humans should always been in the loop when it comes to securing web applications.
8. Web server security needs to get tougher
Only 2.4% of global web servers are fully implementing "a Content Security Policy (CSP), various security-related HTTP headers and other options of web server security," putting them at risk, according to the report.
9. Web application firewalls (WAF) still can't guard against high-end flaws
The report shows that "22% of SQL injections in web applications protected by a commercial WAF were fully exploitable (i.e. allowing to extract sensitive data from the database). However, 58% of these vulnerabilities were partially exploitable (e.g. show SQL server version or user) using different WAF bypass techniques."
However, a majority of cases (88.7) showed that "various types of complicated improper access control, chained vulnerabilities and flawed application business logic were not detected, and thus remained unremediated by WAFs," the report stated.
10. The growth of HTTPS encryption reliability is slowing down
More than 2.2 million unique web security server tests were conducted using High-Tech Bridge's free SSL/TLS server test in June. These tests mostly demonstrated that web servers had strong security measures—64.4% received an "A." Still, growth is slow: This figure represents only 0.2% and 0.1% of the growth over the last six months. Countries with the most secure web servers, in terms of HTTPS configuration, are the US, Germany, France, Netherlands and the UK.
- The Department of Defense wants more of you to hack the Pentagon (ZDNet)
- Facebook's bug bounty: Now it's paid out $5m for security flaws to 900 hunters (ZDNet)
- Ethical hackers: How hiring white hats can help defend your organisation against the bad guys (TechRepublic)
- DoD, HackerOne kick off Hack the Army bug bounty challenge (ZDNet)
- Cybersecurity in President Trump's America: The first 100 days (TechRepublic)
- Special report: Cyberwar and the future of cybersecurity (free ebook) (TechRepublic)
Hope Reese has nothing to disclose. She doesn't hold investments in the technology companies she covers.
Hope Reese is a journalist in Louisville, KY. Her writing has been featured in The Atlantic, The Boston Globe, The Chicago Tribune, Playboy, Undark Magazine, VICE, Vox, and other publications.