Application Vulnerability Trends Report : 2013
Table of Contents 3 4 5 6 7 8 8 9 10 10 Introduction 99% of Tested Applications Have Vulnerabilities Cross Site Scripting Tops a Long List of Vulnerabilities Detected in 2012 Vulnerability Population Trends for 2013 Session Management Vulnerabilities Appear in 80% of Applications Mobile Vulnerabilities for 2013 Common, Preventable Application Vulnerabilities Common, Detectable Application Vulnerabilities Conclusion About Cenzic PAGE 2 of 10
Introduction In 2013 it s hard to find any organization that isn t routinely sharing sensitive information with customers, suppliers and employees through their Internet and intranet web applications. The business benefits of doing business on the Internet are clear, and the use of web-based applications continues to grow across the board. Many organizations are expanding on this trend by utilizing new cloud and mobile infrastructures, allowing even more sensitive data to live outside of their private networks. While the benefits of web applications are clear, the risks to your organization, brand, applications, and data are more apparent than ever. Every day there are new reports of highly organized cyber attacks on leading websites. High profile victims like The New York Times, Bank of America, and the US Federal Reserve have acknowledged breaches of their systems resulting in theft, espionage, and service interruption. What is less clear is how many companies in total have been breached, including those that are completely unaware of the compromise of their systems. The cost of cybercrime is immense, with some analysts reporting economic losses as high as $1 trillion per year. What s more, the toll on IT and security teams after a breach is significant, as there is a rush to remediate the damage. As you read this report ask important questions about your organization s security and risk profile. Are you aware of the security testing process that s completed on your portfolio of web applications? Do you know what vulnerabilities each of these applications have? What level of risk from application insecurity is acceptable to your business? This paper, based on data collected by the Cenzic Managed Security team, shares details about the kind, frequency and severity of vulnerabilities that will be found in production applications in 2013. Please use this document to understand the current vulnerabilities and risk landscape. And more importantly, use it as a motivation to improve the security posture for your currently deployed apps and to improve your security practices into the future. Please use this document to understand the current vulnerabilities and risk landscape. And more importantly, use it as a motivation to improve your application security posture. PAGE 3 of 10
99% of Tested Applications Have Vulnerabilities First and foremost, 99% of all applications tested in 2012 have one or more serious security vulnerabilities. And with a median number of vulnerabilities per app of 13, it s no wonder that application-level attacks are a focus for hackers. These shocking facts serve as a warning call to all information security and application development personnel: most applications, including yours, are vulnerable to attack. Hackers easily exploit many of these vulnerabilities. More importantly, vulnerabilities translate into risk to your organization, brand, applications and data. But there is good news. Many of these vulnerabilities are also relatively easy for application security teams to detect, block and fix during every phase of the application life cycle. Technologies and processes for reducing application vulnerabilities include secure coding standards, vulnerability scanning, web application firewalls and intrusion detection, among others. The best results come from a multi-layered and coordinated approach that includes technology, processes, employees and a securityoriented corporate culture. The time to act is now, before the risk of an attack turns into a breach. Real breaches can cost your business millions of dollars for material losses, remediation expense and loss of goodwill with customers. The changes required to improve your risk profile are possible with currently available security tools and your existing engineers. While the worldwide shortage of experienced web development engineers may impact the pace of development of new applications, it is no excuse for exposing your organization to excessive security risk by releasing applications with major vulnerabilities. 99% 99% 16 13 2011 2012 2011 2012 Percentage of tested apps with vulnerabilities Median number of vulnerabilities per app Figure 1: 2011-2012 Summary Statistics: Application Vulnerabilities PAGE 4 of 10
Cross Site Scripting Tops a Long List of Vulnerabilities Detected in 2012 At 26% of the total, Cross Site Scripting (XSS) was the most frequently found vulnerability in apps tested in 2012. Quite surprisingly, XSS vulnerabilities rose significantly in 2012 over 2011. Many XSS vulnerabilities are severe and many tested apps have multiple XSS exposure points to remediate. application portfolios. Information Leakage and Session Management Errors follow in frequency, each at 16% of total vulnerabilities found. Authentication and Authorization (13%), Cross Site Request Forgery (CSRF) (8%) SQL Injection (6%), Web Server Version (5%), Remote Code Execution (5%), Web Server Configuration (3%), and Unauthorized Directory Access (2%) round out the 2012 vulnerability population. While XSS leads the list in terms of frequency of occurrence, security professionals are responsible for all vulnerabilities in their Figure 2: 2012 Web Application Security Vulnerability Population PAGE 5 of 10
Vulnerability Population Trends for 2013 In addition to being the largest population of vulnerabilities, XSS is on the rise. The 2012 level of 26% is up significantly from the 2011 level of 17% of detected vulnerabilities. Figure 3: 2011 vs. 2012 Vulnerability Population Trend Figure 3 shows that five categories of vulnerabilities declined in 2012, while five categories increased. While these trends are modestly good news, it is important to remember that vulnerabilities still exist across all categories. Vulnerabilities exist in legacy applications and new applications. And emerging cloud and mobile applications increase the complexity of your security efforts. Moreover, the threats from these vulnerabilities continue to evolve as bad actors experiment with new and different attack strategies. This analysis is instructive of the distribution of vulnerabilities in aggregate. Keep in mind that applications with large numbers of similar vulnerabilities are common. The next section analyzes the vulnerability data from the perspective of application population, providing visibility into the range of vulnerabilities within an application. The above analysis is from the perspective of vulnerability population. All vulnerabilities found during testing were added to the totals. In other words, if an XSS error is found 20 times in a single application, all 20 are counted toward the total. PAGE 6 of 10
Session Management Vulnerabilities Appear in 80% of Applications As mentioned earlier in this report, 99% of applications have one or more vulnerabilities, and the median number of vulnerabilities per tested application is 13. Below is the breakdown of which vulnerabilities classes were found in any single application. Figure 4 shows that Session Management vulnerabilities were detected in 80% of applications tested in 2012, more than any other application vulnerability class. Figure 4: 2011 vs. 2012 Application Vulnerability Class Trend And there s more. XSS vulnerabilities appear in 61% of applications, followed by Authentication and Authorization (45%), Web Server Configuration (28%), CSRF (22%), Information Leakage (17%), SQL Injection (16%), Web Server Version (10%), Unauthorized Directory Access (8%) and Remote Code Execution (3%). Numbers will not add up to 100% as each application can have vulnerabilities in multiple classes. The top conclusion from the application analysis matches the conclusion from the vulnerability population analysis in the previous section: application vulnerabilities are common. The application analysis shows that vulnerabilities aren t limited to a few poorly designed applications; rather they exist in most applications. Both analyses demonstrate that application vulnerabilities are broad in scope and large in number. All vulnerability categories except SQL Injection declined in 2012, suggesting that application teams may be improving their security practices. The increase in detection of SQL Injection vulnerabilities, however, may be due to improvements in the detection tools more than from new deficiencies in security practices. PAGE 7 of 10
Mobile Vulnerabilities for 2013 As mobile handsets and especially smart phones and tablets proliferate, tracking vulnerabilities becomes critical. The Cenzic Managed Services team has discovered the following vulnerabilities during 2012: Common, Preventable Application Vulnerabilities It is important for application developers and administrators to have a thorough knowledge of the common application attacks, the tools available for detecting vulnerabilities and the procedures for fixing applications. Web application security scanning technology is effective at detecting most classes of vulnerabilities. Scanning apps during the development phase of the application lifecycle ensures your development team is following best practices and helps to reduce the cost of corrections. Scanning apps in the production phase is important to ensure secure apps are protected against new threats, and is often the only practical way of cost effectively scanning all applications on a sufficiently regular basis. Cenzic offers a range of solutions to help organizations identify security issues in all phases of the application lifecycle. Most solutions for blocking and fixing application security vulnerabilities fall into one or more of three categories. Coding Practices are techniques used by application developers to deflect potential security breaches. Consistent, high quality coding practices is the most effective deterrent to attacks. Figure 5: 2012 Mobile Application Vulnerability Population Mobile developers need to put extra attention on how data is transferred to and stored on mobile devices as Input Validation (21%), Session Management (11%) and Privacy Violation (25%) combine to account for 57% of mobile vulnerabilities. Storing unencrypted sensitive data on often-lost mobile devices is a significant cause for concern, but the often-unsecured web services commonly associated with mobile applications can pose an even bigger risk. Web Application Firewalls (WAFs) enable policy based blocking of specific vulnerabilities that exist in applications, without rewriting application code. WAFs are a particularly effective method for rapidly blocking a vulnerability found in a production application, without requiring a full re-release of an application containing vulnerabilities. Server Configuration is the range of practices for managing the server hardware, operating systems and security certifications on the devices running the application. Finally, it is important to emphasize that all of these practices are maximally effective when they are part of an enterprise-wide security governance policy. PAGE 8 of 10
Common Detectable Application Vulnerabilities Vulnerability Cross Site Scripting (XSS) Description An application allows attackers to send malicious scripts by relaying the script from an otherwise trusted URL. Block/Fix: coding standards, web application firewall Information Leakage An application inappropriately discloses sensitive data, such as technical details of the application, environment, or userspecific data. Block/Fix: coding standards, web application firewall Session Management An application inappropriately allows attackers to interject themselves as valid website users. Block/Fix: coding standards Authentication & Authorization An application does not properly ensure for unbreachable and unreplayable authentication, and/or authorized access to data and capabilities is not properly enforced on the server side of the application. This includes enforcement of proper encrypted communication of credentials, password standards enforcement, feature and data access ACL enforcement, etc. Block/Fix: server configuration, coding standards Cross Site Request Forgery (CSRF) SQL Injection A vulnerability that allows attackers to send pre-authenticated but unauthorized commands using credentials that the application trusts. Block/Fix: Coding practices, web application firewall An attacker uses various techniques to inject SQL commands to access information that should be inaccessible, such as application data, table structure and error messages. SQL injections can also cause data destruction, planting of malicious data, and infrastructure info leakage. Block/Fix: coding standards, web application firewall Web Server Version Attackers exploit applications, servers and databases through unpatched older versions of server software with known security issues. Block/Fix: server configuration Remote Code Execution An application allows any arbitrary commands to execute on a vulnerable device. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Block/Fix: Coding practices, server configuration Web Server Configuration Unauthorized Directory Access Attackers exploit misconfigured servers or access to server configuration files, enabling further, more sophisticated attacks. Block/Fix: server configuration Access to directory listings should be restricted. Unsecured directories can be traversed, accessed and viewed by an attacker who may be able to access or view the contents of files. Block/Fix: server configuration PAGE 9 of 10
Conclusion Judging from the vulnerabilities found through Cenzic s testing of enterprise-class web and mobile applications, more needs to be done in 2013 to reduce application vulnerabilities, security risk and the specter of successful attacks. While the majority of companies have the important security building blocks, such as firewalls and intrusion protection systems needed for their security infrastructure, not enough organizations have comprehensive practices in place for securing applications. The result is that bad actors are increasingly focusing on and succeeding with application-level attacks. Finally, threats and vulnerabilities change over time. Security is a process, not a once-and-done event. Anticipate future vulnerabilities by planning to re-scan production applications frequently. About Cenzic Cenzic provides the leading application security intelligence platform to continuously assess Cloud, Mobile and Web applications to reduce online security risk. Cenzic s solutions scale from single applications to enterprise-level deployments with hybrid approaches that enable testing of applications at optimal levels. Cenzic helps brands of all sizes protect their reputation and manage security risk in the face of malicious attacks. Cenzic s solutions are used in all parts of the software development lifecycle, and most importantly in production, to protect against new threats even after the application has been deployed. Cenzic s application security intelligence platform is architected to handle web, cloud and mobile applications and is the first to provide risk reduction recommendations for business, application developers and specific applications. Today, Cenzic secures more than half a million online applications and trillions of dollars of commerce for Fortune 1000 companies, all major security companies, government agencies, universities and SMBs. www.cenzic.com PAGE 10 of 10