Web-facing applications continue to be one of the highest security risks present for organizations, with more than 40 percent of them actively leaking data in a way that can have a ripple affect across businesses and their partners, research has found.
Moreover, manufacturing is particularly vulnerable to attacks through these apps, with 70 percent of applications having at least one serious vulnerability open over the previous 12 months, researchers found.
That’s according to a report from app-security firm WhiteHat Security, “AppSec Stats Flash Volume 3,” which outlines how the increased prevalence of applications that are exposed to the internet through web, mobile and API-based interfaces has increased the attack surface and thus the security risk for organizations and their supply chains across the board.
Among the findings of the report include a consistent characterization of the top five vulnerabilities found in internet-facing apps in the last three months, researchers found. Those flaws are: Information leakage, insufficient session expiration, cross-site scripting, insufficient transport layer protection and content spoofing.
Cloud applications are currently driving the global economy, especially in a post-pandemic world in which business is increasingly done over the internet. However, more web-based applications and data in the cloud also means a higher risk of data breaches: Applications are increasingly polymorphic, with access through web, mobile and API-based interfaces. That makes application security a multi-dimensional challenge, researchers said.
“We continue to find that window of exposure, a key measure of exploitability remains very high,” Setu Kulkarni, vice president of strategy at WhiteHat, told Threatpost in an email. “What that means is that web-facing applications and APIs continue to have serious exploitable vulnerabilities throughout the year.”
What happens when an adversary attacks the supply chain was very evident recently thanks to the ongoing SolarWinds debacle, in which adversaries used SolarWinds’ Orion network management platform to infect users with a stealth backdoor called Sunburst (a.k.a. Solorigate). That in turn opened the way for lateral movement to other parts of a network.
Indeed, supply-chain attacks can be particularly damaging because they affect connected systems and business applications that are linked more than ever before through predominantly API-based integrations, Kulkarni observed.
This threat is compounded by another key finding of the report — that that the average time an organization takes to fix critical vulnerabilities is still more than 190 days, with the top vulnerability classes remain relatively static, giving adversaries an “easy way” to get into corporate networks, he said.
“Pedestrian vulnerabilities continue to plague applications,” researchers wrote. “The effort and skill required to discover and exploit these vulnerabilities is fairly low, thus making it easier for the adversary.”
Manufacturing at Greatest Risk
The manufacturing sector seems particularly susceptible to being attacked by vulnerabilities in web-facing applications likely because it was “traditionally never internet-connected as an industry,” then had to rapidly transition legacy systems and software to keep up, Kulkarni told Threatpost.
“The lift and shift of applications that were never meant to be internet-facing to become internet-enabled has likely resulted in this high risk,” he said.
Another factor putting manufacturing at greater risk is that supply chains are now increasingly software-driven, which means business partners are now having to open up otherwise internal applications to integrate with supply-chain partners. This again results “in existing vulnerabilities that were previously unexploitable to become publicly exploitable,” Kulkarni explained.
All of that said, the remediation of vulnerabilities present in an organization’s internet-facing apps is “an immediate and imminently achievable goal for development and security teams,” researchers wrote in the report. That journey toward better security starts with organizations taking measures toward “reducing the risk of being breached in production,” Kulkarni told Threatpost.
“Organizations must take inventory of public-facing apps, scan them continuously in production and take a risk-based approach to fix in-production issues,” he said. “That is step one.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)