Info-security Europe 2017 Summary Report on application security trends for Q1 – Q2 2017.

Info-security Europe 2017 Summary Report on application security trends for Q1 – Q2 2017.
1.     Bug Bounty fatigue trend : 9/10 web applications of private or public bug bounty program contained at least two high-risk vulnerabilities undetected by the crowd security testing. Such vulnerabilities require a thorough understanding of web application structure, architecture and business logic. Researchers adapt their testing targets and methodologies looking for the flaws that do not require a lot of time to detect. Google’s Project Zero Prize, ended without a single valid submission, is a good example that no researchers are motivated to spend endless nights on complicated vulnerabilities and exploitation techniques, without a solid assurance of payment
2.     Mobile back-ends are weaknesses / vulnerable points of the corporate defense perimeter : 83% of mobile apps within banking, financial and retail sectors have a mobile backend (web services and APIs) that is vulnerable to at least one high-risk security vulnerability. Most popular vulnerabilities are insufficient, or missing, authorization when accessing sensitive data or data belonging to other users. Various injections, mainly represented by SQL and XML injections, are also quite common, aggravated by a frequently missing WAF on the mobile backend.
3.     Risks related to mobile applications are highly exaggerated: Over 95% of vulnerabilities residing in mobile application code are not easily exploitable and do not pose a major risk. The most popular flaw is insecure, or clear text storage of sensitive or authentication data on a mobile device. The second most popular flaw consists of insecure, or otherwise unreliable, components used in the application code putting mobile phone privacy at risk. The third is insecure communication with a mobile backend (APIs and Web Services), allowing to intercept sensitive data or to conduct MITM attacks. All of these vulnerabilities usually require another malicious application already installed on a device, and/or an attacker in the same network segment as the victim, and thus are hardly exploitable in the wild.
4.     Web interfaces of IoT devices represent an enormous risk: 98% of web interfaces and administrative panels of various IoT devices had fundamental security problems. Among them: hardcoded and unmodifiable admin credentials, outdated software (e.g. web server) without any means to update it “from the box”, lack of HTTP traffic encryption, various critical vulnerabilities in the interface, including RCE (Remote Command Execution) in the login interface directly.
5.     DevSecOps cannot protect from human negligence: 2/3 companies that leverage a DevSecOps approach to application development, had at least one high or critical risk vulnerability in their external web applications due to lack of internal coordination, human negligence or a business reason. For example, a highly secure web application can be located on a domain with a file upload form, or a recent database backup, in a predictable location. This is especially valid for agile development, when many different people from different locations make changes simultaneously to application code.
6.     XSS, CSRF and information disclosure are still the most popular vulnerabilities: Globally, these three OWASP Top Ten vulnerabilities may easily pass the 80% bar.
7.     OWASP Top Ten becomes harder to detect: Despite the overwhelming popularity, 53% of simple flaws from OWASP Top Ten, such as XSS, are no longer detectable by vulnerability scanners and other fully automated solutions. Such vulnerabilities more and more frequently require a complicated chain of exploitation that is only performable by a human. For example, many [at a first glace] simple XSS flaws require a valid client ID or Google’s reCAPTCHA, or is only reproducible with a long set of other valid HTTP parameters. Moreover, complicated authentication systems (e.g. using 2FA and session expiration in case of abnormal behavior) preclude vulnerability scanners from testing the authenticated part of the applications. Therefore, full automation in vulnerability detection for modern web applications becomes highly challenging.
8.     Web server security hardening is massively ignored: A Content Security Policy (CSP), various security-related HTTP headers and other options of web server security hardening are currently fully implemented only on 2.4% of global web servers.
9.     WAFs mitigate simple OWASP Top Ten flaws, but fail to protect from sophisticated flaws: Only 22% of SQL injections in web applications protected by a commercial WAF were fully exploitable (i.e. allowing to extract sensitive data from the database). However, 58% of these vulnerabilities were partially exploitable (e.g. show SQL server version or user) using different WAF bypass techniques. Meanwhile, in 88.7% of cases, various types of complicated improper access control, chained vulnerabilities and flawed application business logic were not detected, and thus remained un-remediated by WAFs.
10. Growth of HTTPS encryption reliability is stagnating: In June 2017, free SSL/TLS server test has reached over 2.2 million unique tests (not counting API usage, repetitive tests and subdomain analysis). 64.4% of all tested web servers received an “A” grade and 47.5% have TLS configuration that is compliant with PCI DSS requirements. However, this represents just a 0.2% and 0.1% growth respectively in the last six months. The top countries hosting web servers with the most secure HTTPS configuration are still the USA, Germany, France, Netherlands and UK.

Rate this article: 
No votes yet
Article category: