Industries across the spectrum are seeing rapid changes in their threat landscape. With the arrival of COVID-19, healthcare companies quickly became top targets for bad actors. The Chief Information Security Officer (CISO) of Johnson and Johnson recently indicated the company has seen a 30% increase in attack volume, including cyber attacks, from nation state threat actors since the start of the COVID-19 pandemic.
Overwhelming Levels of Unremediated Vulnerabilities
Healthcare is just one of many industry segments affected by increased cyber risk. With increased cyber-attack volume throughout the security realm, it is increasingly important for organizations to understand, manage, and remediate open vulnerabilities within their production applications. Unremediated application vulnerabilities pose a serious risk to organizations’ businesses, providing a potential entry point for malicious exploits that disrupt operations or even shut them down altogether.
However, over the course of the previous nine months, organizations have been unable to successfully decrease the prevalence of vulnerabilities within their applications. In fact, since March, the prevalence of all vulnerabilities and serious (critical and high severity) vulnerabilities has remained above average. One of the factors is tied to increased pressure on development teams to release more code faster. A critical driver behind this pressure is the need for businesses to move more functions online and to automate as many as possible. But this race for speed diverts attention from application security.
A Comprehensive Approach to Application Security
Organizations need actionable intelligence throughout the software development life cycle (SDLC) in order to deliver secure applications at the speed modern DevOps demands—and to protect them once they are in production. Contrast Labs publishes vulnerability and attack metrics on a bimonthly basis in an effort to contribute actionable data for practitioners to use. The trends highlighted in these reports, when used in conjunction with internal data sources and additional industry reports, enables security and development professionals to prioritize their security efforts and minimize risks within their applications.
Bimonthly AppSec Intelligence Report Highlights
Some of the most notable findings Contrast Labs uncovered during the September–October 2020 time frame include:
- — The percentage of applications that have at least one serious vulnerability increased to 30%, up from 27% in the prior two-month time frame.
- — The percentage of applications with 50 or more serious vulnerabilities grew from 9% to 11%.
- — Serious vulnerabilities in, and many types of attacks on, .NET applications continued to rise.
- — The percentage of attacks that were viable (viz., could connect with a vulnerability they could exploit) increased from 1% to 2%.
- — More applications were impacted by four of the top five vulnerability attack types.
A Rise in Applications With Serious Vulnerabilities
For September-October, Contrast Labs reported several application vulnerability trends from its analysis of real-world applications. The most concerning of these trends was the rise in the percentage of applications with serious vulnerabilities. The average percentage of applications with at least one serious vulnerability was 26% over the 12-month time frame of June 2019–May 2020. Over the past six months and three bimonthly reports, Contrast Labs reported numbers noticeably higher than this average: 33% of applications in May and June, 27% in July and August, and 30% in September and October.
Organizations should be on high alert. The most prevalent serious vulnerabilities include Cross-site Scripting, Broken Access Control, SQL Injection, XML External Entities (XXE), and Insecure Configuration. If a bad actor is able to identify and exploit any one of these vulnerabilities, businesses could face repercussions ranging from loss of customers to entire systems being down. This is especially notable given a recent study done by Contrast, where 95% of organizations were found to have at least one successful application exploit in the last 12 months.
.NET Applications Have More Serious Vulnerabilities While Experiencing More Attacks
Serious Cross-site Scripting and Broken Access Control vulnerabilities were found in 2% more applications in September–October compared to July–August (representing a 23% and 31% increase, respectively). Cross-site Scripting vulnerabilities provide an opportunity for bad actors to masquerade as a “victim user” in order to carry out any actions that the user is able to perform and access any of the user’s data. Broken Access Control vulnerabilities allow attackers to bypass authorization safeguards and perform tasks as if they were privileged users. Both Cross-site Scripting and Broken Access Control vulnerabilities, if exploited, can enable bad actors to access and control an application’s functionality and data.
These two vulnerabilities drove the increased prevalence of serious vulnerabilities within .NET applications in September–October. Specifically, Cross-site Scripting vulnerabilities were identified in 12% of .NET applications and serious Broken Access Control vulnerabilities were identified in 7% of .NET applications.
During this time frame, .NET applications also saw an increased rate of attacks. Command Injection attacks comprised the largest change, with 98% of applications targeted in September–October as compared to 57% in July–August. One sliver of good news: Cross-site Scripting experienced a smaller increase in attacks, and Broken Access Control vulnerabilities experienced a decrease in attacks.
Reported Attacks Are More Likely To Be Viable
In September–October, the percentage of attacks that were viable, attacking vulnerabilities that exist in targeted code, doubled from 1% to 2% as compared to the last bimonthly report. While this prevalence of viable attacks is new to Contrast Labs (in May–June 3% of attacks were viable), it is still concerning. Each viable attack provides bad actors with the possibility of an exploit.
This trend highlights the need for teams to not only “shift left” but also “shift right” with their application security. The most comprehensive approach to security addresses risks from development through production. Organizations and practitioners should consider tools for protecting their applications in production from these attacks as a mitigating tactic while working on remediating existing vulnerabilities.
Additional trends and findings can be found in the report as well as discussed in the Inside AppSec podcast. I encourage readers to download a copy of the report and to listen to the podcast for more detail.