Mobile backends are the Achilles heel of the corporate defence perimeter. Eighty-three percent of mobile apps within banking, financial and retail sectors have a mobile backend (Web services and APIs) that is vulnerable to at least one high-risk security vulnerability.
This was revealed by High-Tech Bridge, a provider of Web and mobile application security testing services, in its summary on application security trends for Q1 - Q2 2017.
The report also showed that risks related to mobile applications are 'highly exaggerated'. "Over 95% of vulnerabilities residing in mobile application code are not easily exploitable and do not pose a major risk. The most popular flaw in mobile applications within banking, financial and retail sectors is insecure, or cleartext storage of sensitive or authentication data on a mobile device," the company said.
Web interfaces, IOT
Another finding, was that Web interfaces of IOT devices represent an enormous risk, with 98% of Web interfaces and administrative panels of various IOT devices having fundamental security problems.
"Manufacturers who build IOT objects still do not understand that cybersecurity of their products becomes even more vital than manufacturing quality standards, and puts their customers at enormous risk," High-Tech Bridge said.
Another trend showed that DevSecOps cannot protect from human negligence. Two out of three organisations that take a DevSecOps approach to application development, had at least one high or critical risk vulnerability in their external Web applications due to lack of internal coordination, human negligence or a business reason.
The company said that this is particularly true for agile development, when many different people from different locations make changes simultaneously to application code. "The bigger the organisation is, the more complicated it is to prevent such incidents, as numerous data and process owners change their decisions and requirements much faster than IT has time to properly adopt them, following internal processes."
OWASP Top Ten
The report also highlighted how XSS, CSRF and information disclosure are still the most popular vulnerabilities. Globally, these three Open Web Application Security Project (OWASP) Top Ten vulnerabilities may account for 80% of flaws, however, in banking, financial, insurance and e-commerce sectors, they represent only 50.9%.
The OWASP is a non-profit organisation that provides unbiased, practical information about application security. Its Top 10 represents a broad consensus on the most critical Web application security flaws.
Moreover, the report revealed that OWASP Top Ten becomes harder to detect, with 53% of simple flaws from the top ten, such as XSS, being no longer detectable by vulnerability scanners and other fully automated solutions.
Such vulnerabilities more and more frequently require a complicated chain of exploitation that is only performable by a human. For example, many simple XSS flaws require a valid client ID or Google's reCAPTCHA, or are only reproducible with a long set of other valid HTTP parameters.
In addition, complicated authentication systems and session expiration in case of abnormal behaviour, preclude vulnerability scanners from testing the authenticated part of the applications.
Therefore, full automation in vulnerability detection for modern Web applications becomes highly challenging, the company says.
Another trend that came out of the report was that Web server security hardening is massively ignored. "Statistics from High-Tech Bridge's free online Web Server Security test show that a Content Security Policy (CSP), various security-related HTTP headers and other options of Web server security hardening are currently fully implemented only on 2.4% of global Web servers."
Despite the fact that almost all social networks have implemented the above-mentioned measures, there is low overall awareness that many vectors of XSS and CSRF attacks can be effectively mitigated on a Web server.
Share