Web Applications Vulnerability is Everyone’s Responsibility
When organizations worry about their cyber security, they focus on ransomware attacks, employees opening (spear) phishing emails or clicking on malicious banners and links on websites. But there is another danger that is often underestimated – the web applications of your own organization could harbor vulnerabilities and security issues. This happens more often than you think – “bad” coding is still a major concern as the HP Security Research’s Cyber Risk Report 2015 indicates: “The primary causes of commonly exploited software vulnerabilities are consistently defects, bugs, and logic flaws. Security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. Much has been written to guide software developers on how to integrate secure coding best practices into their daily development work. Despite all of this knowledge, we continue to see old and new vulnerabilities in software that attackers swiftly exploit. It may be challenging, but it is long past the time that software development should be synonymous with secure software development. While it may never be possible to eliminate all code defects, a properly implemented secure development process can lessen the impact and frequency of such bugs.” The report ranks the top five vulnerabilities resulting from bad coding as follows: Privacy violation (74%), insecure storage (71%), insecure transport (66%), insecure deployment (62%), and poor logging practice (47%). Patching vulnerabilities takes on average more than 170 days. As the Acunetix Web Application Vulnerability Report 2016 shows, the numbers for 2016 are not much better: 55% of web applications were shown to contain high-security vulnerabilities such as XSS and SQL injections, and 84% of web applications were susceptible to at least one medium-severity vulnerability such as CSRF. Let’s have a look at the top 3 web application hacks and breaches that made the headlines in 2016.
- The Panama Papers (more than 11.5 million confidential documents) were leaked when the website of Mossack-Fonseca was hacked by exploiting the failure of CMS security. Not only was the out-of-date image slider plugin on the company’s website exploited, but also several known vulnerabilities in Mossack-Fonseca’s three-year-old version of Drupal.
- The me website was shown to be vulnerable to being hacked by using a Cross-Site Request Forgery (CSRF). When exploited, a hacker could remove or edit the CSRF token and, in turn update a user’s PayPal profile picture.
- The Russian Foreign Ministry website spoof. A hacker known as The Jester exploited a cross-site scripting (XSS) vulnerability found in the website. He/she exploited it to post a detailed message for all website visitors to see, without damaging or breaching the site itself.
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe