Government organizations and educational institutions, in particular, are increasingly in hackers’ crosshairs as severe web vulnerabilities spiral upward.
Remote code execution (RCE), cross-site scripting (XSS), and SQL injection (SQLi) are all top software offenders. All three increase or hover around the same alarming numbers year over year.
RCE, often the ultimate goal of a malicious attacker, was the main cause of IT scampering in the wake of the Log4Shell exploit. This vulnerability has seen a steady increase since 2018.
Enterprise security firm Invicti released its Spring 2022 AppSec Indicator report last month that revealed web vulnerabilities from over 939 of its customers worldwide. The findings come from an analysis of the largest dataset from the Invicti AppSec platform — with more than 23 billion customer application scans and 282,000 direct-impact vulnerabilities discovered.
Invicti’s research shows one-third of both educational institutions and government organizations experienced at least one occurrence of SQLi last year. Data from 23.6 billion security checks underscores a pressing need for a comprehensive application security approach, with government and education organizations still at risk of SQL injection this year.
The data shows that numerous commonplace and well-understood vulnerabilities continue to proliferate in web applications. It also shows the ongoing presence of these vulnerabilities present a serious risk to organizations in every industry.
Even well-known vulnerabilities are still prevalent in web applications, according to Invicti president and COO Mark Ralls. Organizations must gain command of their security posture to ensure that security is part of the DNA of an organization’s culture, processes, and tooling so that innovation and security work together.
“We saw that most severe web vulnerabilities continue to flourish, either holding steady or increasing in frequency over the past four years,” Ralls told TechNewsWorld.
The rampant escalation of incidents of SQL injection found among government and education organizations was the most surprising aspect of the research, noted Ralls.
Especially bothersome is the SQLi, which increased five percent in frequency over the past four years. This type of web vulnerability allows malicious actors to modify or replace queries an application sends to its database. That is particularly concerning for public sector organizations, which often store highly sensitive personal data and information.
RCEs are the crown jewel for any cyberattacker and the vector behind last year’s Log4Shell event. It, too, also increased by five percent since 2018. XSS saw six percent spike in frequency.
“These trends were echoed throughout the report findings, revealing a worrying state of affairs for cybersecurity,” said Ralls.
Skills Gap, Talent Shortage Involved
Another big surprise for researchers is an increase in the number of vulnerabilities reported from organizations that scan their assets. Numerous reasons could be the cause. But a lack of software developed trained in cybersecurity is one leading culprit.
“Developers, in particular, may need more education on avoiding these errors in the first place. We have seen that vulnerabilities are not being discovered even in the earliest stages of development when scanning,” explained Ralls.
When developers do not address vulnerabilities, they end up putting their organizations at risk. Automation and integration tools in place can help developers address these vulnerabilities more quickly and reduce the potential costs to the organization, he added.
Don’t Blame Web Apps Alone
Web apps per se are not becoming less secure. It is more a matter of developers being tired, overworked, and often not having enough experience.
Frequently, organizations hire developers who lack the necessary cybersecurity background and training. With the continuing push toward digital transformation, businesses and organizations are digitizing and developing apps for more aspects of their operations, according to Ralls.
“Plus, the number of new web applications that enter the market each day means that every extra app is a potential vulnerability,” he said. For example, if a company has ten applications, it is less likely to have one SQLi than if a company has 1,000 applications.
Applying the Cure
Business teams — whether developing or using software — require both the right paradigm and the right technologies. That involves prioritizing secure design models covering all the bases and baking security into the pre-code processes behind application architecture.
“Break down silos between teams,” Ralls advised. “Especially between security and development — and ensure organization-wide norms and standards are in place and upheld universally.”
Regarding investment in AppSec tools to stem the rising tide of faulty software, Ralls recommended utilizing robust tools that:
- automate as much as possible;
- integrate seamlessly into existing workflows;
- provide analytics and reporting to show proof of success and where more work is needed.
Do not overlook the importance of accuracy. “Tools with low false-positive rates and clear, actionable guidance for developers are necessary. Otherwise, you waste time, your team will not embrace the tech, and your security posture will be no better off,” he concluded.
Blind Spots Partly at Play
Significant breaches and dangerous vulnerabilities continue to expose organizations’ blind spots, Ralls added. For proof, look at the whirlwind impacts of Log4Shell.
Businesses worldwide scrambled to check if they were susceptible to RCE attacks in the widely-used Log4j library. Some of these risks are going up in frequency when they should be going away for good. It comes down to a disconnect between the reality of risk and the strategic mandate for innovation.
“It is not always easy to get everyone on board with security, especially when it seems like security is holding individuals back in project completion or will be too costly to set up,” said Ralls.
The growing number of effective cybersecurity strategies and scanning technologies can make persistent threats less frequent and make it easier to close the gap between security and innovation.