Over half of websites contain critical vulnerabilities that attackers could use to perform denial of service, steal personal data, and cause other severe consequences. These findings come from a new meta-analysis of web application security audits conducted by Positive Technologies in 2016 across different industries.
Hackers can take advantage of insecure web applications as a way to infect other targets, including users, with94 percent of those applications making such attacks possible by using 5 of the 10 most common application vulnerabilities. Positive Technologies testers were able to obtain personal data from 20 percent of web applications that process such data, including bank and government websites.
High-risk vulnerabilities were found in 74 percent of applications belonging to telecommunications companies, the highest rate of any industry. But, in terms of possible consequences, the worst security situation is found in manufacturing (with 43% of websites rated as "extremely poor") and e-commerce (34%).
Security experts note that vulnerabilities in public sites are still a popular wayfor compromising a company's internal infrastructure with every fourth web application allowing such attacks. And the same a number of web applications contain vulnerabilities that give an intruder access to internal databases.
One perhaps counterintuitive finding of the meta-analysis is that production (in-use) web applications are more vulnerable than those still in development Indeed, high-severity vulnerabilities were found on 50 percent of testbeds and on 55 percent of production systems. "Security testing is imperative both during development and ongoing operation," said Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies. "We urge all companies to use web application firewalls for protecting their applications."
The meta-analysis compared the effectiveness of different testing methods, such as white box and black box, and described automated code analysis and vulnerability detection with PT Application Inspector. As Gnedin noted, "White-box source code analysis shows better results than analysis without access to source code. For the best results, source code testing should be performed during development. Automated source code analysis throughout the development process is key for identifying issues as quickly and efficiently as possible."