10 most common web app vulnerabilities according to Synopsys

code-unsplash

Editor’s brief: Web apps (web applications) are the bedrock of what powers most applications and transactions these days. However, is there really form, function and security all integrated into such web apps large and small, obvious and obscure? As we have seen from many of the data breaches, vulnerabilities and more today, it does seem there is a lot more work needed in the security department for web apps. Synopsys Cybersecurity Research Center (CyRC) reported the 10 most common web app vulnerabilities in its report “Software Vulnerability Snapshot: The 10 Most Common Web Application Vulnerabilities”, which ran 4,300 tests on 2,700 software targets. Read more below.

SINGAPORE Synopsys, Inc. (Nasdaq: SNPS) today published the “Software Vulnerability Snapshot: The 10 Most Common Web Application Vulnerabilities.” The report examines the results of 4,300 security tests conducted on 2,700 software targets, including web applications, mobile applications, source code files, and networks systems (i.e., software or systems). The majority of the security tests were intrusive “black box” or “gray box” tests, including penetration testing, dynamic application security testing (DAST), and mobile application security testing (MAST), designed to probe running applications as a real-world attacker would.

Eighty-two percent of the examined objects were either network systems or web applications, while thirteen percent were mobile programs. Companies from the software/internet, banking/business services, manufacturing/consumer services, healthcare, and government sectors were among those put through their paces in the testing process.

While 97% of targets were found to have at least one vulnerability, this was a 2% improvement over last year’s results. High-risk vulnerabilities were found in 20% of targets, down 10% from the previous year, and in 4.5% of targets, down 1.5% from the previous year.

The findings show that a comprehensive set of tools, including static analysis, dynamic analysis, and software composition analysis, is the best way to perform security testing and guarantee that a system or application is safe from flaws. Cross-site scripting (XSS) is one of the most common and destructive high-/critical-risk vulnerabilities impacting web applications, and it was found in 22% of all test targets. When an application is being used, many XSS vulnerabilities can be exploited. The good news is that organizations are taking proactive measures to mitigate XSS vulnerabilities in their production applications, as the exposure identified this year was 6% lower than last year’s findings.

“This research underscores that intrusive black box testing techniques like DAST and pen testing are particularly effective for surfacing exploitable vulnerabilities in the software development lifecycle and should be part of any well-rounded application security testing regimen,” said Girish Janardhanudu, vice president, security consulting at Synopsys Software Integrity Group.

Additional report highlights

  • OWASP Top 10 vulnerabilities were discovered in 77% of the targets. Application and server misconfigurations were 18% of the overall vulnerabilities found in the tests (a 3% decrease from last year’s findings), represented by the OWASP A05:2021 – Security Misconfiguration category. And 18% of the total vulnerabilities found were related to the OWASP A01:2021 – Broken Access Control category (a 1% decrease from last year).
  • The urgent need for a software Bill of Materials. Vulnerable third-party libraries were found in 21% of the penetration tests conducted (an increase of 3% over last year’s findings). This corresponds with the 2021 OWASP Top 10 category A06:2021—Use of Vulnerable and Outdated Components. Most organizations use a mix of custom-built code, commercial off-the-shelf code, and open source components to create the software they sell or use internally. Often those organizations have informal—or no—inventories detailing exactly what components their software is using, as well as those components’ licenses, versions, and patch status. With many companies having hundreds of applications or software systems in use, each themselves likely having hundreds to thousands of different third-party and open source components, an accurate, up-to-date software Bill of Materials is urgently needed to effectively track those components. is urgently needed to effectively track those components.
  • Lower-risk vulnerabilities can also be exploited to facilitate attacks. Seventy-two percent of the vulnerabilities discovered in the tests are considered low- or medium-risk. That is, the issues found are not directly exploitable by attackers to gain access to systems or sensitive data. Nonetheless, resurfacing these vulnerabilities isn’t an empty exercise, as even lower-risk vulnerabilities can be exploited to facilitate attacks. For example, verbose server banners—found in 49% of the DAST tests and 42% of the pen tests—provide information such as server name, type, and version number that could allow attackers to perform targeted attacks on specific technology stacks.

###