Steady rise in severe web vulnerabilities

Invicti Security released a research which reveals a rise in severe web vulnerabilities and the need for executive leaders to intertwine their application security and digital transformation efforts to reduce risk.

The report examines web vulnerabilities from over 939 customers worldwide and was derived from the largest data set yet, with more than 23 billion security checks executed on customer applications uncovering over 282,000 direct-impact vulnerabilities.

The data shows that numerous commonplace and well-understood vulnerabilities continue to proliferate in web applications, and the continued presence of these vulnerabilities presents a serious risk to organizations in every industry.

Key findings

• Remote code execution (RCE), cross-site scripting (XSS), and SQL injection (SQLi) are all top offenders, each increasing in frequency or hovering around the same alarming numbers year over year. These vulnerabilities can lead to consequences such as compromised back-end data, hijacked sessions, or forced actions on behalf of other users and services.
• Remote code execution, always the ultimate goal of malicious attackers but now especially prominent due to last year’s Log4Shell vulnerability, has seen a steady increase since 2018, jumping 5% in frequency.
• After a slight improvement in 2020, cross-site scripting (XSS) backslid in 2021, with its incidence rising 6% year over year.
• Two industry sectors saw above-average SQL injections. 35% percent of educational institutions and 32% percent of government organizations experienced at least one occurrence of SQLi, reflecting that legacy code still in production in these industries needs modernization, and knowledge gaps for developers should be addressed.

Direct-impact vulnerabilities simply aren’t reducing in frequency, but there are foundational elements to every AppSec program that can improve security posture. For many organizations without adequate security measures, the persistence of vulnerabilities can be attributed to failures in secure design, a lack of comprehensive scanning, and the prevailing talent gap in cybersecurity. While these stressors increase risk, organizations that adopt a proactive and comprehensive approach to application security, prioritizing secure design, baking security into the very architecture of applications, and scanning their entire application footprint, will reduce risk significantly.

“Once again, we’ve seen that even well-known vulnerabilities are still prevalent in web applications,” said Invicti president and COO Mark Ralls. “It’s time for organizations to gain command of their security posture. The only way to do that is to ensure that security is in the DNA of an organization’s culture, processes, and tooling so that innovation and security go hand-in-hand.”