According to a new report from application security firm Cenzic, Web application vulnerabilities remain an issue, as 99% of the applications they tested were vulnerable to one degree or another, with the average application having 13 vulnerabilities on its own.
The report’s data was gathered during the Cenzic Managed Security team’s analysis of applications in production, and reveals the volume and types of vulnerabilities prevalent in web and mobile applications. While the exact number of applications tested doesn’t appear in the report itself, the vulnerabilities found by the researchers are broken down by type, frequency and severity.
Of the applications tested, Cenzic says that Cross-Site Scripting (XSS) remained the number one vulnerability (26%), followed by information leakage, authentication and authorization vulnerabilities, Cross-Site Request Forgery (CSRF), and SQL Injection (SQLi) to round out the top five. Other vulnerabilities, such as Web Server version, remote code execution, server configuration issues, and unauthorized directory access were also discovered.
The report also includes a study of mobile security threats, focusing on how data is transferred to and stored on mobile devices. The findings say, Input Validation, Session Management and Privacy Violation combine to account for 57 percent of mobile vulnerabilities.
Cenzic says these results suggest that while storing unencrypted sensitive data on sometimes-lost mobile devices is a significant cause for concern, the often-unsecured web services commonly associated with mobile applications can pose an even bigger risk.
“Securing the application layer must be addressed more realistically by today’s businesses,” said Scott Parcel, chief technology officer at Cenzic.
“The exposure that organizations face from the trove of existing application vulnerabilities and from evolving threats has been laid bare this year, however most organizations have not comprehensively acted to defend themselves from these application level threats,” Parcel explained. “This trend continues to get worse; as the rush to create a multitude of connected mobile apps has led corporations to essentially rip out walls and replace them with unlocked doors, leaving them even less aware of how to secure at scale.”
Access to the report without registration is here.
Related: XSS Attacks Spike In Q4 2012