A report from
Positive Technologies found that 100% of the web apps it tested contained at
least one security vulnerability, with 85% being risks to users.
Web apps need to
be constantly monitored for vulnerabilities, with source code analysis being
the best way to find flaws, Positive Technologies said. The key at that point
is to release patches swiftly.
Security firm
Positive Technologies has released a summary of its web application vulnerability testing in 2017, and the results
should serve as a wakeup call to anyone using, or responsible for, a web app.
Of the web apps
included in the study, not a single one was without security vulnerabilities,
of which 85% allowed attackers to target web app users through attacks like
cross-site scripting.
The sample size in
Positive Technologies study is small (only 33 web apps were included), and the
study also admits that the tested applications are not standard apps and
contain large amounts of custom code.
Regardless of the
scope of the study, its findings should put web app developers on guard,
especially those building custom apps or publishing non-standard web
apps—there's no reason to assume they're safe.
Who is
most at risk and what are they facing?
Of the web apps
considered in the report, nearly half belonged to financial services
organizations, which were also the greatest risk category: 100% of financial
services apps contained high-risk vulnerabilities.
Financial apps are
the most at risk, the report said, because of their overall level of
complexity. That complexity makes it easier for a bug to work its way into, and
go unnoticed in, a web app's code.
Government and
e-commerce web apps were the second and third most at risk. All tested
government web apps were vulnerable to cross-site scripting attacks on users,
and e-commerce sites were most likely to fall prey to denial-of-service
attacks.
Attacks on users
were the most common form of web app vulnerabilities, with 85% of those tested
susceptible to them. User attacks in the report are defined as cross-site
scripting, HTTP response splitting, open redirect, and cross-site request
forgery.
Denial-of-service
attacks ranked second, followed by arbitrary file reading, OS commanding, and
unauthorized database access.
How to
protect your web apps
Web apps, according
to Leigh-Anne Galloway, cyber security resilience lead at Positive
Technologies, practically have targets painted on their backs.
"Fortunately, most vulnerabilities can be discovered long before an attack
ever happens. The key is to analyze application source code," Galloway
said.
The Positive
Technologies report pulled all its information from source code analysis, which
it encourages web app users to make time for. Automated tools are available and
are prefered to manual analysis.
Quick release of
fixes is also essential—it doesn't do any good to find a vulnerability if it
isn't patched immediately. Positive Technologies recommends putting another
layer between web app users and the code itself with a web application
firewall.
As with most
vulnerabilities, detection prior to disaster is possible as well as practical.
Don't be caught in a bind because a known issue wasn't addressed.
Click here for the original article from TechRepublic.