One in three applications contains a major or critical vulnerability. Outdated software, failure to install updates and lack of multifactor authentication are the biggest culprits.
These are the most important findings in a study by Dutch security company Computest about the state of application security. In one year the company, supported by ethical hackers, conducted 300 security tests on applications from various organizations. The apps tested contained an average of 12 vulnerabilities, with one-third requiring immediate action based on a vulnerability’s CVSS score.
CVSS scores are considered the industry standard for identifying vulnerabilities at a glance. They help IT teams prioritize potential cyber risks, although context is always needed to interpret the actual danger.
Tip: When is a critical vulnerability actually dangerous?
Even worse in practice
According to Computest Security CEO Dennis de Hoog, the picture is somewhat distorted. The reality is possibly even worse: “The organizations included in the anonymized survey proactively asked us for a security test and so already know these kinds of tests are necessary to perform periodically”, he says. He expects the percentage of vulnerable applications across all organizations to be even higher.
A common vulnerability was cross-site scripting (XSS). This involves injected code going into action as soon as an unsuspecting user runs the application. Computest indicates that this can lead to data loss or a redirect to a rogue website. Sixty percent of the XSS vulnerabilities occurred without a user having an account.
Authentication proved to be a persistent problem: In 34 percent of cases, it was implemented insecurely, while 19 percent of apps did not include multifactor authentication (MFA).
Known problems, known solutions
Another point of contention is the deployment of third-party components. In 70 percent of cases, ethical hackers found a vulnerability in these kinds of applications. 39 percent of third-party software found went altogether unsupported.
Once again, basic flaws appear to cause problems for organizations. The most common ones can be easily explained: outdated, unsupported software may not have a suitable replacement, update policies are confusing, or would cause costly downtime. The lack of multifactor authentication should be less prevalent, but doesn’t get enough attention.
De Hoog stresses that organizations need to do a better job. “Plenty of measures that can easily be taken are generally not rocket science, but they just don’t rank high enough on companies’ agendas. Moreover, applications often receive less attention than internal or cloud networks. But they are just as much a part of the attack surface. As long as organizations are not affected by security incidents caused by application vulnerabilities, these receive little attention. However, the impact becomes immediately clear as soon as an incident occurs. This harms the organization, the application’s users, and sometimes even third parties. Consider the misuse of data from applications for criminal purposes. This usually has major consequences for the company and those directly and indirectly involved. Such incidents affect the entire chain.”
Also read: Computest Security shapes European plans with acquisition of Incide