Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A report from Positive Technologies found that 100% of the web apps it tested contained at least one security vulnerability, with 85% being risks to users.
- Web apps need to be constantly monitored for vulnerabilities, with source code analysis being the best way to find flaws, Positive Technologies said. The key at that point is to release patches swiftly.
Security firm Positive Technologies has released a summary of its web application vulnerability testing in 2017, and the results should serve as a wakeup call to anyone using, or responsible for, a web app.
Of the web apps included in the study, not a single one was without security vulnerabilities, of which 85% allowed attackers to target web app users through attacks like cross-site scripting.
The sample size in Positive Technologies study is small (only 33 web apps were included), and the study also admits that the tested applications are not standard apps and contain large amounts of custom code.
Regardless of the scope of the study, its findings should put web app developers on guard, especially those building custom apps or publishing non-standard web apps—there’s no reason to assume they’re safe.
Who is most at risk and what are they facing?
Of the web apps considered in the report, nearly half belonged to financial services organizations, which were also the greatest risk category: 100% of financial services apps contained high-risk vulnerabilities.
Financial apps are the most at risk, the report said, because of their overall level of complexity. That complexity makes it easier for a bug to work its way into, and go unnoticed in, a web app’s code.
Government and e-commerce web apps were the second and third most at risk. All tested government web apps were vulnerable to cross-site scripting attacks on users, and e-commerce sites were most likely to fall prey to denial-of-service attacks.
SEE: Guidelines for building security policies (Tech Pro Research)
Attacks on users were the most common form of web app vulnerabilities, with 85% of those tested susceptible to them. User attacks in the report are defined as cross-site scripting, HTTP response splitting, open redirect, and cross-site request forgery.
Denial-of-service attacks ranked second, followed by arbitrary file reading, OS commanding, and unauthorized database access.
How to protect your web apps
Web apps, according to Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, practically have targets painted on their backs. “Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code,” Galloway said.
The Positive Technologies report pulled all its information from source code analysis, which it encourages web app users to make time for. Automated tools are available and are prefered to manual analysis.
Quick release of fixes is also essential—it doesn’t do any good to find a vulnerability if it isn’t patched immediately. Positive Technologies recommends putting another layer between web app users and the code itself with a web application firewall.
As with most vulnerabilities, detection prior to disaster is possible as well as practical. Don’t be caught in a bind because a known issue wasn’t addressed.