High-Tech Bridge, a web and mobile app security testing company, released a report on application security trends from the data collected from open sources, ImmuniWeb Testing platform, and their own web security services this year at Infosecurity Europe 2017. The report gives a good insight on the immediate evolution of application security in general, and on the context of technologies like IoT going mainstream.
Here are the highlights of the report.
Bug bounty fatigue trend will keep progressing
The report states that 9/10 web apps in the scope of a private or public bug bounty program, running for a year or longer, contained at least two high risk vulnerabilities that the crowd security testing hadn’t detected.
The fact that Google’s Project Zero Prize got no valid submissions makes it evident that researchers are not likely to take up a project for which they may or may not be paid. The bug bounty program is only seen as an ‘easy-money’ opportunity, explaining the lack of thorough research when it comes to crowd security things. This is why many high-risk vulnerabilities go unnoticed. Now, Qualys and BugCrowd have begun a partnership to employ researchers, offering them a full-time job without risks in the industry to get better results.
Security risks for the web interfaces of IoT devices
IoT is an innovative technology but is still in infancy, which means there are security risks at present. High-Tech Bridge’s research found that over 95% of web interfaces and panels of IoT devices noteworthy security problems such as outdated software without update support, admin credentials that can’t be modified, and other critical vulnerabilities.
Human error still poses a risk to DevSecOps approach
A good majority of companies following the DevSecOps approach, had at least one critical vulnerability which was a result of human error. For instance, humans may carelessly keep a secure web app on a location that’s accessible to anyone without credentials. Reportedly, this can only get complicated in a bigger organization as numerous decision-makers and data handlers would be changing their decisions simultaneously. The same applies to an Agile team. The bigger the team, the harder it becomes to preserve order.
Web server security needs improvements
According to the report, Content Security Policy (CSP) and various other security measures have only been fully implemented in close to 2.5% of global web servers. Though security breaches aren’t high enough to be concerned, the report’s findings emphasize more awareness for potential security risks in web servers.
Web Application Firewalls are unable to guard against complex flaws
Despite commercial web application firewalls (WAFs) protecting 22% of SQL injections in a web application, they all were found to be fully exploitable, as in cyber criminals would be able to extract sensitive data from the database with relative ease.
Reportedly, the various WAF bypass techniques were capable of at least partially breaching 58% of these vulnerabilities according to the study by High-Tech Bridge. 2018 is expected to introduce solid improvements for web application firewalls to guard against the most complex security threats.
The report also mentions breaches via mobile backends of apps, risks like XSS, CSRF, dwindling reliability of HTTPS encryption etc. The findings demand a drastic upgrade to various security protocols associated with web and mobile applications.
But despite the security risks, capable web and mobile app developers can still come through at the end of the day and provide services to ensure that the apps are secure. If you want to learn more about secure web and mobile applications, feel free to contact us.