Yet, even with a 30% decline, web applications are still at risk and new scan targets have more vulnerabilities than others, according to a new Acunetix report.
While people might think that web applications in general are slowly getting more secure, "the truth is less optimistic," a new report finds. While applications protected by web vulnerability scanning are becoming more secure, "relatively new targets have more vulnerabilities, according to the 2020 Acunetix Web Vulnerability Report.
Unprotected websites and web applications are the second leading source of major security breaches, and this leads to billions of personal records being stolen by criminals, according to Acunetix.
The fact that there are new targets is worrying because "It means that new developers do not have the knowledge that is required to avoid vulnerabilities," the report said. "It also suggests that these developers are working within a development structure that does not promote web security."
Specifically, the report lists these vulnerabilities:
· Remote code execution (RCE): 3% (↑ from 2% in 2019)
· SQL Injection (SQLi): 8% (↓ from 14% in 2019)
· Directory traversal: 4% (↑ from 2% in 2019)
· Cross-site Scripting (XSS): 25% (↓ from 33% in 2019)
· Server-side Request Forgery (SSRF): 1% (1% in 2019)
· Cross-site Request Forgery (CSRF): 36% (↓ from 51% in 2019)
· Host header injection: 2.5% (↓ from 4% in 2019)
· WordPress vulnerabilities: 24% (↓ from 30% in 2019)
The report posits that experienced website developers and system administrators are making progress since Acunetix said it also saw decreasing numbers for SQL Injection issues for the second year in a row.
The researchers compared server-side programming languages and concluded that "PHP remains as popular as before," followed by ASP.NET, "but developers more and more often use other, less popular server-side languages." The report found that:
The percentage of PHP vulnerabilities has declined a lot. The percentage of ASP or ASP.NET vulnerabilities is growing.
The percentage of vulnerabilities in Apache/nginx has declined a lot. The percentage of IIS vulnerabilities is growing.
Most companies think that all they need to do to secure a website is to install an SSL certificate, the company said. Many don't realize how many serious holes there are in their websites and how easy it is for a malicious hacker to break in. Yet, a break-in could lead to stealing sensitive data, destroying company reputation, and directly attacking company customers. For example, Acunetix cited the 2019 Capital One breach, which was caused by a web vulnerability called SSRF.
The report concludes that "we are very slowly going in the right direction. The number of vulnerabilities is decreasing, but only gradually. We are still far from being secure on the web – more than 25% of web applications have at least one high-severity vulnerability."
It is not enough to stay current with the proper version and patch management to keep web resources secure, the report said. "Keeping a web application safe is much more difficult. Most vulnerabilities are not about which systems you use but how you use them. Web application vulnerabilities such as SQL Injection and remote code execution appear because of poor design and programming, even if you choose best-of-class software and components."
Acunetix suggests that the best way to improve web application security is to introduce security testing automation into the development lifecycle. "This means integrating web vulnerability scanning with issue trackers, continuous deployment environments, and similar tools."
The Acunetix report analysis mainly applies to high and medium severity vulnerabilities found in web applications, as well as perimeter network vulnerability data from 5,000 randomly selected scan targets, the company said.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Kubernetes security guide (free PDF) (TechRepublic download)
- Information security policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)