According to a new report from application security firm Cenzic, Web application vulnerabilities remain an issue, as 99% of the applications they tested were vulnerable to one degree or another, with the average application having 13 vulnerabilities on its own.
The report’s data was gathered during the Cenzic Managed Security team’s analysis of applications in production, and reveals the volume and types of vulnerabilities prevalent in web and mobile applications. While the exact number of applications tested doesn’t appear in the report itself, the vulnerabilities found by the researchers are broken down by type, frequency and severity.
Of the applications tested, Cenzic says that Cross-Site Scripting (XSS) remained the number one vulnerability (26%), followed by information leakage, authentication and authorization vulnerabilities, Cross-Site Request Forgery (CSRF), and SQL Injection (SQLi) to round out the top five. Other vulnerabilities, such as Web Server version, remote code execution, server configuration issues, and unauthorized directory access were also discovered.
The report also includes a study of mobile security threats, focusing on how data is transferred to and stored on mobile devices. The findings say, Input Validation, Session Management and Privacy Violation combine to account for 57 percent of mobile vulnerabilities.
Cenzic says these results suggest that while storing unencrypted sensitive data on sometimes-lost mobile devices is a significant cause for concern, the often-unsecured web services commonly associated with mobile applications can pose an even bigger risk.
“Securing the application layer must be addressed more realistically by today’s businesses,” said Scott Parcel, chief technology officer at Cenzic.
“The exposure that organizations face from the trove of existing application vulnerabilities and from evolving threats has been laid bare this year, however most organizations have not comprehensively acted to defend themselves from these application level threats,” Parcel explained. “This trend continues to get worse; as the rush to create a multitude of connected mobile apps has led corporations to essentially rip out walls and replace them with unlocked doors, leaving them even less aware of how to secure at scale.”
Access to the report without registration is here.
Related: XSS Attacks Spike In Q4 2012
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
