The massive application attacks on SolarWinds and Microsoft Exchange Server in recent months did not slow the activity of cyber criminals. In March and April of this year, for example, social media networks were hit with several high-profile data breaches when the personal profile information of hundreds of millions of users at Facebook, LinkedIn, and social audio startup Clubhouse were publicly posted on hacker forums. Attacks on the healthcare industry continued, with Washington state’s MultiCare Health System and Cancer Treatment Centers of America suffering breaches of more than 100,000 records each. And as travelers start in earnest to board planes again, airline technology provider SITA suffered a breach that exposed passenger data from multiple airlines.
MORE WAKE-UP CALLS
These incidents remind us that cybersecurity presents a growing risk at organizations in all industries. And application security is a vital part of that risk portfolio. The recently published Verizon Data Breach Investigations Report found that 39% of data breaches were the result of application vulnerabilities.
This reality is reflected in Contrast Labs’ latest Application Security Intelligence Report for March–April. The report analyzes telemetry data from thousands of applications covered by Contrast Assess and Contrast Protect to identify trends and help organizations prioritize their application security efforts. For this bimonthly period, vulnerabilities declined somewhat, but applications were hit more frequently with attacks—and a growing percentage of those attacks were viable.
CONTRAST RISKSCORE INDEX FOR MARCH–APRIL
The report begins by updating the Contrast RiskScore™ Index for March–April. These numerical scores help readers to visualize the relative risk presented by different vulnerability types over time. For this bimonthly period, broken access control and cross-site scripting (XSS) continue to be the two most risky vulnerability types by far.
There is a significant gap between these two vulnerability types and the third highest score—insecure configuration—that is nearly two points lower than that of XSS. Sensitive data exposure stays in fourth position while broken authentication moved from the sixth to fifth position. Further down the list, insecure deserialization returned to the top 10 after its RiskScore increased by more than a point from January–February.
VULNERABILITY TRENDS: A SLIGHT IMPROVEMENT
Application vulnerability trends in March–April 2021 showed a slight improvement overall compared with the previous bimonthly period. Only 32% of applications contained a serious vulnerability, a decline from January–February’s 34%. To put this in context, however, even the 32% figure is still higher than any month before November 2020. So the percentage of applications with serious vulnerabilities remains elevated.
Just two vulnerability types were more likely to be found in a given application than in January–February: insecure configuration and SMTP header injection. But the entire increase is accounted for with non-serious vulnerabilities. In fact, the percentage of overall vulnerabilities that were serious declined from 39% to 38% for this bimonthly period.
The subset of applications with a large number of vulnerabilities shrank slightly as well. The percentage of applications with more than 50 vulnerabilities declined from 11 to 9%, and the percentage of applications with more than 20 serious vulnerabilities declined from 7 to 6%. As a result, the average number of vulnerabilities found in a vulnerable application declined from 61 in January–February to 52 for March–April. Interestingly, the number of serious vulnerabilities per vulnerable application increased from 58 to 59.
On the language front, the percentage of .NET applications with serious vulnerabilities declined from 28% in January–February to 23% for March–April, which is an encouraging change since this number had been steadily trending upward for six months. The percentage of Java applications with serious vulnerabilities also experienced a decline, from 39% in January–February to 37% in March–April.
ATTACK TRENDS: MORE VIABLE ATTACKS
But this is where the good news stops. Data from Contrast Protect users revealed an uptick in attack activity, and a big increase in viable attacks. After hitting an all-time low of less than 0.5% in January–February, the percentage of attacks that hit an existing vulnerability in Java applications skyrocketed to 3% in March–April—near the highest share ever observed by Contrast Labs. This means that fewer attacks were probes and more were targeted in places where they could potentially be successful.
Most vulnerability types were attacked in more applications during March–April than in the previous bimonthly period. Cross-site scripting (XSS) attacks impacted 55% of applications, a 90% increase from January–February’s 29%. The percentage of applications attacked by broken access control also increased by 79%. Broken access control also became the most likely vulnerability to be attacked, impacting 86% of applications.
This worsening threat landscape—coming from both nation-state actors and common cyber criminals—prompted the White House to issue a new executive order in May. This order, focused on improving the nation’s cybersecurity, places a lot of emphasis on application security and the software supply chain. While various departments still need to write the regulations to implement the directive, the White House’s action could motivate software providers to deliver more secure applications.
In service of this goal to help organizations to improve application security, Contrast Labs’ bimonthly reports help readers keep up with evolving trends. The March–April results indicate an increase in the percentage of applications experiencing many attack types. Even more concerning is the percentage of attacks that were viable in Java applications, which increased more than sixfold over January–February to one of the highest percentages we have observed. Some attackers may be trying to “ride the wave” of the SolarWinds and Microsoft Exchange attacks.
The increase in viable attacks is a wake-up call to organizations that have a large security debt of unaddressed vulnerabilities. While vulnerability trends were down somewhat in this report, applications continue to have far too many serious vulnerabilities. Nearly one-third (32%) of applications have at least one serious vulnerability and 7% have more than 20. Worse yet, our recent State of Application Security in Financial Services Report found that 98% of respondents had had three or more successful application exploits in the past 12 months, and 76% suffered at least $1 million in losses per exploit.
Recent attacks make it increasingly clear that legacy application security tools and processes are inadequate for today’s fast-moving and rapidly evolving software development operations. Too often, they delay release cycles while doing very little to help the application be more secure. Developers don’t receive information on vulnerabilities for days or weeks, making it harder to fix them.
Contrast’s instrumentation approach protects applications across the software development life cycle (SDLC). Contrast Assess performs continuous scanning of applications from within the application—and provides real-time, actionable feedback that enables developers to fix the problem immediately after it is created. Contrast OSS provides real-time analysis of the open-source libraries and frameworks in applications, enabling visibility of everything from versioning to newly discovered vulnerabilities. Contrast Protect provides runtime protection for applications in production, enabling organizations to deploy applications with confidence. Because developers can take care of most problems themselves, security professionals can focus on strategic initiatives. It enables security to be more effective and move at the speed of DevOps.
For More Information on the Report
For more information, download the full Contrast Labs Application Security Intelligence Report for March–April 2021. Or listen to the Inside AppSec Podcast, “Java Applications Under Attack Barrage in the Latest Contrast Labs Bimonthly AppSec Intel Report,” with Contrast CTO and Co-founder Jeff Williams and myself.