Despite years topping vulnerability lists, SQL injection and cross-site scripting errors (XSS) remain the bane of security teams, according to a new report by a penetration-testing-as-a-service company.
The report by BreachLock, based on 8,000 security tests performed in 2021, organises its findings based on risk. Critical risk findings pose a very high threat to a company's data. High risks could have a catastrophic effect on an organisation's operations, assets or individuals. Medium risks could have an adverse impact on operations, assets or individuals.
More than a third of the critical risks found in web applications (35 per cent) can be attributed to injection or data exposure, which the report noted is a matter of concern because of the number of applications being hosted on the internet is growing with the increase in digitalisation among organisations.
"Despite SQL injection being such a common vulnerability for years, I'm surprised to see it is still as common as it was in 2014, 2015," said BreachLock Vice President of Products Prateek Bhajanka. "More than 27 per cent of our findings are SQL injection findings."
Adoption of DevSecOps improving application security
Even more alarming, according to the report, is that more than 50 per cent of the high-risk findings found in web apps could be pegged to cross-site scripting errors. The report explained that developers often take the "deny list" approach to data validation over the "allow list" approach, which leads to new data exploiting cross-site scripting vulnerabilities.
Nevertheless, critical and high findings for web apps represent only five per cent of all findings for the category. These data insights re-affirm that web application security, especially with the adoption of DevSecOps, is resulting in improved application security, the report claimed.
When analysing the infrastructure of organisations, BreachLock found a greater percentage of critical and high vulnerabilities in their internal infrastructure (more than 15 per cent) compared to their external infrastructure (more than nine per cent). That indicates, the report noted, that organisations impose greater rigour in managing external-facing vulnerabilities than internal ones.
The report cautioned that cyber threats don’t only come from external facing assets. Internal systems can be breached using phishing emails and stolen credentials to elevate privileges and move laterally within a network.
Smaller organisations more vulnerable
Critical and high findings were low in mobile apps, just over seven per cent for Android apps and close to five per cent for iOS programs. Among the most common high and critical errors in mobile apps identified in the report were hard-coded credentials into apps. Using these credentials, attackers can gain access to sensitive information, the report explained.
More than 75 per cent of the errors found in APIs were in the low category. However, the report warns that low risk doesn’t equate to no risk. Threat actors don’t consider the severity of the findings before they exploit a vulnerability, it warned. Among the highest critical risks found in APIs were function-level controls missing (47.55 per cent) and Log4Shell vulnerabilities (17.48 per cent).
Of all high and critical findings across companies, the report noted, 87 per cent were found in organisations with fewer than 200 employees. The report identified several reasons for that, including cybersecurity being an afterthought in relatively small organisations; a dearth of bandwidth, security know-how, and staffing; a lack of security leadership and budget; and the speed of business overpowering the need of doing business securely.
The report also analysed average times for mitigating critical and high findings by business vertical, finding the highest times in the manufacturing (101 days) and healthcare sectors (95.56 days) and lowest times in the automotive (30 days) and professional services (33 days) sectors.
Bhajanka hopes organisations will be able to use the findings in the report to improve their cyber security posture. "They will be able to see whether they are doing better than global peers in the industry or doing worse," he observes. "If they're doing worse, it should be an alarm for them."