Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Web Applications Remain Vulnerable to Basic Flaws: Report

According to a new report from application security firm Cenzic, Web application vulnerabilities remain an issue, as 99% of the applications they tested were vulnerable to one degree or another, with the average application having 13 vulnerabilities on its own.

According to a new report from application security firm Cenzic, Web application vulnerabilities remain an issue, as 99% of the applications they tested were vulnerable to one degree or another, with the average application having 13 vulnerabilities on its own.

The report’s data was gathered during the Cenzic Managed Security team’s analysis of applications in production, and reveals the volume and types of vulnerabilities prevalent in web and mobile applications. While the exact number of applications tested doesn’t appear in the report itself, the vulnerabilities found by the researchers are broken down by type, frequency and severity.

Of the applications tested, Cenzic says that Cross-Site Scripting (XSS) remained the number one vulnerability (26%), followed by information leakage, authentication and authorization vulnerabilities, Cross-Site Request Forgery (CSRF), and SQL Injection (SQLi) to round out the top five. Other vulnerabilities, such as Web Server version, remote code execution, server configuration issues, and unauthorized directory access were also discovered.

The report also includes a study of mobile security threats, focusing on how data is transferred to and stored on mobile devices. The findings say, Input Validation, Session Management and Privacy Violation combine to account for 57 percent of mobile vulnerabilities.

Cenzic says these results suggest that while storing unencrypted sensitive data on sometimes-lost mobile devices is a significant cause for concern, the often-unsecured web services commonly associated with mobile applications can pose an even bigger risk.

“Securing the application layer must be addressed more realistically by today’s businesses,” said Scott Parcel, chief technology officer at Cenzic.

“The exposure that organizations face from the trove of existing application vulnerabilities and from evolving threats has been laid bare this year, however most organizations have not comprehensively acted to defend themselves from these application level threats,” Parcel explained. “This trend continues to get worse; as the rush to create a multitude of connected mobile apps has led corporations to essentially rip out walls and replace them with unlocked doors, leaving them even less aware of how to secure at scale.”

Access to the report without registration is here.  

Related: XSS Attacks Spike In Q4 2012

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.