Nearly all of the applications tested by Cenzic in 2013, a startling 96 percent, contained at least one security vulnerability, according to an annual report the application security company put out today.
Released as high-profile targets like Adobe, Living Social, Target and the Federal Reserve deal with the ongoing ramifications of serious data breaches, the Cenzic Application Security Report 2014 notes, “Applications have become the soft target in the IT infrastructure. With so many vulnerabilities to choose from, hackers can easily breach the increasingly valuable data that applications access.”
Cross-site scripting (XSS) weighed in as the vulnerability most frequently found in apps that the company tested in 2013, followed closely by information leakage, which was found in 23 percent of the apps. “Out of all vulnerabilities discovered XSS and Information Leakage are the largest share because they occur often and in some cases multiple times per application,” according to the report, which analyzed the apps used by Cenzic's customer base.
Although the percentage of tested apps with vulnerabilities is down slightly from 99 percent in 2012, the median number of vulnerabilities per app remained steady, with 14 reported in 2013 compared to 13 the year before. And CISOs and other security professionals still have to battle old familiar vulnerabilities like SQL injection, which the report notes should “be like small pox and be nearly extinct.”
But default and weak passwords, database misconfigurations, and missing security patches continue to thwart their efforts and stand as open doors to seasoned hackers, the report says.
Mobile applications are also adding to security pros' headaches, with the report finding that the largest category of risk, logging 30 percent of the vulnerabilities, came from server configurations and at the patch level in 2013. Input validation accounted for 20 percent of the vulnerabilities while session management and privacy violation accounted for 15 percent and 22 percent, respectively.
The Cenzic report acknowledged that many of the vulnerabilities detected are easy “to detect, block and fix,” but contended that the “best results come from a multi-layered and coordinated approach that includes technology, processes, employees and a security-oriented corporate culture.”