The latest Cenzic report on application vulnerability trends shows that things aren't getting any better. All software has bugs, and almost all of them have bugs that are security vulnerabilities. In fact, on average, they have 14 separate vulnerabilities – a quarter of which are cross-site scripting flaws.
The root cause seems to come from two separate pressures. "CISO’s often tell us," notes the Cenzic report, "that they struggle to hire, train and retain web application security experts. Application developers often tell us they struggle with development timelines and more of their compensation is tied to feature completion rather than security certification."
Caught between the need to develop quickly and the lack of staff to test thoroughly, the result is buggy applications. Cenzic adds a third problem: hackers are increasingly turning their attention to exploiting applications rather than just defeating firewalls and antivirus. "While the majority of corporations have the important security building blocks, such as firewalls and intrusion protection systems needed for their security infrastructure," notes the report, "not enough organizations have comprehensive tools and practices in place for securing applications. The result is that hackers are increasingly focusing on and are succeeding with layer 7 attacks."
There is some good news, however. The overall number of tested applications that include vulnerabilities has actually fallen slightly – from 99% in 2012 to 96% in 2013. Against this the average number of vulnerabilities per application has risen from 13 to 14 in the same time period.
The most frequent flaw is a cross-site scripting flaw. "At 25% of the total, XSS was the most frequently found vulnerability in apps tested in 2013. A substantial percentage of tested apps have multiple XSS exposure points to remediate and many of them create severe security risks." Information leakage vulnerabilities are second at 23%, with authentication and authorization (15%), session management (13%), SQL injection (7%) and cross site request forgery (6%) following.
Cenzic's research is supported by experience from the coal face. Independent pentester Robin Wood told Infosecurity, "I rarely test an application and don't find any issues." However, he believes that the severity of each flaw also needs to be considered. "Testers often ask for protection measures such as WAFs to be disabled during tests to aid testing the application rather than the defenses – this may affect actual results."
Wood also suggests that there may be an additional reason for the proliferation of flaws – strangely, it may be because developers are actually becoming more security conscious. Secure web frameworks promise a high degree of security, suggesting, he says, that "developers no longer need to worry about defending their apps against the basic attacks as the frameworks will do the defense for them." Developers are consequently adopting these frameworks, but the result, caught between commercial pressure to complete quickly and framework promises of security, is "making developers lazy as they don't feel they have to worry about security as the framework will protect them."