Improvements in patch deployment and secure coding practices have made a slight impact on the incidence of vulnerabilities, according to a new Cenzic report.
However, the emergence of BYOD, cloud services and mobile applications – and the continued failure of organizations to detect and address exploits around information leakage, authentication and authorization, and session management are keeping vulnerabilities nearly ubiquitous. In fact, the median number of vulnerabilities per application – 14 – is actually greater than it was in the previous year – 13.
The report revealed a wide range of findings regarding application vulnerabilities including:
- Steady growth in the incidence of security flaws in mobile applications. The report found that privacy violation and excessive privileges appear in over 80 percent of mobile applications.
- Increasing incidences of vulnerabilities found in applications shared with third parties. Cloud services providers and supply chain partners that may be outside the organization’s sphere of influence are a major source of threats today.
- Information leakage is caused by vulnerable applications. Around 23 percent of vulnerabilities were related to information leakage, in which an application inappropriately discloses sensitive data, such as technical details of the application or user-specific data.
- The age-old problem of Cross-Site Scripting (XSS) is still to blame. Some 25 percent of vulnerabilities were related to cross-site scripting (XSS), in which an application allows attackers to send malicious scripts by relaying the script from an otherwise trusted URL.
- Mixed vulnerabilities in other areas cannot be ignored. Flaws in authentication or authorization made up 15 percent of vulnerabilities, and session management errors accounted for 13 percent.
Many of today’s vulnerabilities – even those that are relatively new – are preventable. Cenzic has outlined some key best practices to remind enterprises of some simple solutions that can help secure their applications:
Implement Safe Coding Practices. These are techniques used by application developers to deflect potential security breaches. Consistent, high quality coding practices are the most effective deterrent to attacks.
Use Web Application Firewalls (WAFs). WAFs enable policy-based blocking of specific vulnerabilities that exist in applications, without rewriting application code. WAFs are a particularly effective method for rapidly blocking a vulnerability found in a production application, without requiring a full re-release of an application containing vulnerabilities.
Ensure Proper Server Configurations. This is the range of practices for managing the server hardware, operating systems and security certifications on the devices that run a particular application.