Today at Infosecurity Europe 2017, High-Tech Bridge released a summary report on application security trends for Q1 – Q2 2017.
Statistical data mentioned in the report largely comes from the ImmuniWeb application security testing platform and High-Tech Bridge’s free web security services, but also leverages a wealth of data from various open sources. The most interesting and important trends are outlined below.
Bug Bounty fatigue trend is one that will continue
The Bug Bounty fatigue trend is set to progress: 9/10 web applications in the scope of a private or public bug bounty program, running for a year or longer, contained at least two high-risk vulnerabilities undetected by the crowd security testing.
Such vulnerabilities usually require a thorough understanding of web application structure, architecture and business logic. Security researchers from crowd security testing platforms are paid by result and only if they report their discovery before others. Unsurprisingly, the researchers adapt their testing targets and methodologies, giving preference to newcomers who have just launched a bounty program, looking for the flaws that do not require a lot of time to detect.
A recent partnership of Qualys and BugCrowd will likely reduce such “easy-cash bounties”, motivating many researchers to get a risk-free full time job in the industry. Google’s Project Zero Prize, ended without a single valid submission, is a good example that no researchers are motivated to spend endless nights on complicated vulnerabilities and exploitation techniques, without a solid assurance of payment.
Mobile backends are the Achilles heel of the corporate defense perimeter
83% of mobile apps within banking, financial and retail sectors have a mobile backend (web services and APIs) that is vulnerable to at least one high-risk security vulnerability. Most popular vulnerabilities are insufficient, or missing, authorization when accessing sensitive data or data belonging to other users.
Various injections, mainly represented by SQL and XML injections, are also quite common, aggravated by a frequently missing WAF on the mobile backend.
Risks related to mobile applications are highly exaggerated
Over 95% of vulnerabilities residing in mobile application code are not easily exploitable and do not pose a major risk. The most popular flaw in mobile applications within banking, financial and retail sectors is insecure, or cleartext storage of sensitive or authentication data on a mobile device.
The second most popular flaw consists of insecure, or otherwise unreliable, components used in the application code putting mobile phone privacy at risk. The third is insecure communication with a mobile backend (APIs and Web Services), allowing to intercept sensitive data or to conduct MITM attacks.
All of these vulnerabilities usually require another malicious application already installed on a device, and/or an attacker in the same network segment as the victim, and thus are hardly exploitable in the wild.
Web interfaces of IoT devices represent an enormous risk
98% of web interfaces and administrative panels of various IoT devices had fundamental security problems. Among them: hardcoded and unmodifiable admin credentials, outdated software (e.g. web server) without any means to update it “from the box”, lack of HTTP traffic encryption, various critical vulnerabilities in the interface, including RCE (Remote Command Execution) in the login interface directly.
Manufacturers who build IoT objects still do not understand that cybersecurity of their products becomes even more vital than manufacturing quality standards, and puts their customers at enormous risk.
DevSecOps cannot protect from human negligence
2/3 companies that leverage a DevSecOps approach to application development, had at least one high or critical risk vulnerability in their external web applications due to lack of internal coordination, human negligence or a business reason. For example, a highly secure web application can be located on a domain with a file upload form, or a recent database backup, in a predictable location.
This is especially valid for agile development, when many different people from different locations make changes simultaneously to application code. The bigger the organization is, the more complicated is to prevent such incidents, as numerous data and process owners change their decisions and requirements much faster than IT has time to properly adopt them, following internal processes.
XSS, CSRF and information disclosure are still the most popular vulnerabilities
Globally, these three OWASP Top Ten vulnerabilities may easily pass the 80% bar. However, in banking, financial, insurance and e-commerce sectors, they represent just 50.9% of flaws.
Thorough and mature security testing, greater security awareness, compliance and regulatory requirements in these industries can probably explain this disparity.
OWASP Top Ten becomes harder to detect
Despite the overwhelming popularity, 53% of simple flaws from OWASP Top Ten, such as XSS, are no longer detectable by vulnerability scanners and other fully automated solutions.
Such vulnerabilities more and more frequently require a complicated chain of exploitation that is only performable by a human. For example, many [at a first glace] simple XSS flaws require a valid client ID or Google’s reCAPTCHA, or is only reproducible with a long set of other valid HTTP parameters. Moreover, complicated authentication systems (e.g. using 2FA and session expiration in case of abnormal behavior) preclude vulnerability scanners from testing the authenticated part of the applications.
Therefore, full automation in vulnerability detection for modern web applications becomes highly challenging.
Web server security hardening is massively ignored
Statistics from High-Tech Bridge’s free online Web Server Security test show that a Content Security Policy (CSP), various security-related HTTP headers and other options of web server security hardening are currently fully implemented only on 2.4% of global web servers.
Even though almost all social networks have implemented the above-mentioned measures, there is low overall awareness that many vectors of XSS and CSRF attacks can be effectively mitigated on a web server.
WAFs mitigate simple OWASP Top Ten flaws, but fail to protect from sophisticated flaws
Only 22% of SQL injections in web applications protected by a commercial WAF were fully exploitable (i.e. allowing to extract sensitive data from the database). However, 58% of these vulnerabilities were partially exploitable (e.g. show SQL server version or user) using different WAF bypass techniques.
Meanwhile, in 88.7% of cases, various types of complicated improper access control, chained vulnerabilities and flawed application business logic were not detected, and thus remained unremediated by WAFs.
Growth of HTTPS encryption reliability is stagnating
In June 2017, High-Tech Bridge’s free SSL/TLS server test has reached over 2.2 million unique tests (not counting API usage, repetitive tests and subdomain analysis). 64.4% of all tested web servers received an “A” grade and 47.5% have TLS configuration that is compliant with PCI DSS requirements.
However, this represents just a 0.2% and 0.1% growth respectively in the last six months. The top countries hosting web servers with the most secure HTTPS configuration are still the USA, Germany, France, Netherlands and UK.