The threat landscape is constantly evolving, growing in sophistication as well as volume and velocity. This presents serious challenges for organizations of all sizes and industry sectors. Software applications are a top target when it comes to cyberattacks: 62% of data breaches and 39% of incidents occur at the web application layer.
Risk of Un-remediated Vulnerabilities
These data points should serve as a serious cause of concern for any security team or developer. Vulnerabilities that are left un-remediated can pose a serious risk to an organization—potentially exposing critical data regarding the business and confidential personal information of customers, employees, or even partners. A recent study by IBM and Ponemon Institute shows that the average customer turnover rate caused by a data breach is 3.9 percent.
Application vulnerabilities can also become the entry point for malicious exploits that disrupt operations or even shut them down altogether. And if these detrimental outcomes aren’t enough, the brand reputation damage can be dramatic. Indeed, the same study by IBM and Ponemon reveals the long-tail effect of a data breach or operational disruption extends three or four years.
AppSec Is No Longer a Checklist Item
Application security (AppSec) is business critical—no longer simply a checklist that must be fulfilled before a software release. Recognizing that organizations are reevaluating their traditional AppSec models and seeking actionable, real-world AppSec intelligence to guide them in protecting their software, Contrast Labs publishes vulnerability and attack trends pinpointed by telemetry from customer applications. The resulting bimonthly report aids security and development professionals in understanding what vulnerabilities matter most and what attacks present the greatest risk to their applications. The report is the only one in the industry that combines insights about vulnerabilities, library issues, and attacks.
Bimonthly AppSec Intelligence Report Highlights
Some of the most notable findings Contrast Labs uncovered during the January-February 2020 time frame include:
- Nearly half of applications contain serious vulnerabilities.
- The typical application received tens of thousands of attacks each month; every application analyzed was attacked.
- More than 99 percent of attacks did not hit an existing vulnerability and thus are unsuccessful.
- Attacks on open-source code targeted vulnerabilities that were identified 3 to 10 years ago.
Excerpts from a Conversation with Jeff Williams and David Lindner
These and other trends around application vulnerabilities and attacks are examined in detail in the latest Contrast Labs’ Bimonthly Application Security Intelligence Report. Further, in a recent Inside AppSec Podcast interview conducted by Contrast’s Patrick Spencer, Contrast CTO and Co-founder Jeff Williams and Director of Application Security David Lindner delved into the findings and pinpointed various actionable insights for both security professionals and developers. A few of the highlights are included below:
PATRICK: The average application in January and February recorded over 20,000 attacks. At the same time, 99 percent of them did not reach a vulnerability. What does this mean?
DAVID: I love this statistic. It's one of my favorites in the report. For the last five years or so, we've talked about the shift-left movement. But we are getting more into extend right as well. If you look at attacks over time and how we've traditionally viewed them, we've been blocking them with a web application firewall [WAF] without having any insight into the reachability of those attacks.
But with Contrast Protect, our runtime application self-protection [RASP] solution, we can provide that data. If I look at that 20,000 attacks from a perspective of alert fatigue, for my team which monitors our own systems using this tool, I now only have to really look at the 200 or so that may succeed. I can trace the attacks all the way back into the applications—it’s such a powerful mechanism. Whereas if we were just looking at WAF data, we wouldn't have that insight.
PATRICK: We still have some serious issues to address: 47 percent of applications have serious vulnerabilities and 11 percent of applications have 15 or more vulnerabilities. Jeff, you’ve written and spoken extensively on the fact that vulnerabilities per application hasn't changed over the past two decades, despite all the different technologies and efforts that have been made on this front. It seems the data corroborates this point yet again.
JEFF: Yes, unfortunately. I wrote the OWASP Top 10 in 2002, and the vulnerabilities that we're talking about today are the same vulnerabilities we talked about back then—and it's roughly the same number of vulnerabilities.
PATRICK: The most common vulnerability is cross-site scripting [XSS]. Why is this the case?
DAVID: This doesn't surprise me at all—it is a very pervasive vulnerability. Typically, applications that have these vulnerabilities have a lot of them based on the way that they do things and utilize frameworks, though we have made some strides over the years with some newer frameworks that help with some protections.
What it really comes down to is it's really hard to solve the XSS problem. There are a lot of very technical reasons from encoding, escaping, and canonicalization of the data. This is exacerbated with the amount of third-party code that we're pulling in with no real idea if it has some of these vulnerabilities baked in.
JEFF: The most interesting change is that a lot of organizations are moving to an API style of architecture in their applications. Cross-site scripting is certainly possible with APIs and JavaScript frameworks in the client, but because you're passing the data in XML or JSON, it's a little bit less likely that you introduce an XSS flaw.
That's the only thing that we've done that's changed the vulnerability landscape; when we make an architectural change somehow that accidentally reduces vulnerabilities. The move to persistence layers tended to reduce SQL injection a little, but it's not like we got smarter about SQL injection or it's not like developers all of a sudden started coating perfectly with parameters. We moved to an architecture that's less susceptible to classes of vulnerabilities.
PATRICK: 49 percent of applications received command injection attacks, but only one percent based on our data have this vulnerability. What does this mean especially for organizations with traditional static AppSec approach?
JEFF: If you look at the OWASP Top 10, number 1 is injection. It's always been injection, because it's commonly attacked, it's a common vulnerability, and it's devastating if you have one of those vulnerabilities that gets exploited. But when we dig into the data a bit deeper and look at command injection, it shows us something interesting—it says it’s getting attacked all the time.
Why? Because it's something that's relatively easy to scan for. Your scanning tools are generating tons of payloads related to command objection to try to find vulnerabilities in the space. But we don't actually find a lot of those vulnerabilities in applications. It is pretty unusual for applications these days to call the command shell, you can do most stuff with libraries in the language. It's unusual that somebody takes untrusted data and passes it directly to a command shell. Back 15 years ago, this used to happen all the time.
The likelihood that an application has this vulnerability is relatively low compared to things like XSS and path traversal. It's important to take that into account when you're doing your risk analysis and you're prioritizing where you're planning to spend your effort. That's what this data is good for, in helping you prioritize.
These are a slice of the findings found in the bimonthly report as well as discussed in the Inside AppSec podcast show. I encourage readers to download a copy of the report and to listen to the podcast for more detail.