Vulnerabilities on the rise - public sector at risk
New Invicti Research has found that vulnerabilities are rising, and the public sector is particularly at risk.
Data from 23.6 billion security checks underscores the need for a comprehensive application security approach, with one-third of government and education organisations are still at risk of an SQL injection.
Invicti Security has released its Spring 2022 AppSec Indicator, revealing a rise in severe web vulnerabilities and the need for executive leaders to interweave their application security and digital transformation efforts to reduce risk.
The report examines web vulnerabilities from over 939 Invicti customers worldwide and was derived from the largest data set, with more than 23 billion security checks on customer applications uncovering over 282,000 direct-impact vulnerabilities.
"The data shows that numerous commonplace and well-understood vulnerabilities increase in web applications. The continued presence of these vulnerabilities presents a serious risk to organisations in every industry," the company says.
The report found that remote code execution, cross-site scripting (XSS), and SQL injection (SQLi) are all top offenders, each increasing in frequency or hovering around the same alarming numbers year over year. These vulnerabilities can lead to consequences such as compromised back-end data, hijacked sessions, or forced actions on behalf of other users and services.
Remote code execution, which is the ultimate goal of malicious attackers but is now especially prominent due to last year's Log4Shell vulnerability, has seen a steady increase since 2018, jumping 5% in frequency. And after a slight improvement in 2020, XSS backslid in 2021, with its incidence rising 6% year over year.
The two industry sectors that saw above-average SQL injections were educational institutions (35%) and government organisations 32%, which experienced at least one occurrence of SQLi, showing that legacy code still in production needs modernisation and knowledge gaps for developers should be addressed.
Invicti says direct-impact vulnerabilities aren't reducing in frequency, but there are foundational elements to every AppSec program that can improve security posture. For many organisations without adequate security measures, the persistence of vulnerabilities can be attributed to failures in secure design, a lack of comprehensive scanning, and the prevailing talent gap in cybersecurity.
While these stressors increase risk, organisations that adopt a proactive and comprehensive approach to application security, prioritising secure design, baking security into the architecture of applications, and scanning their entire application footprint, will reduce risk significantly.
"Once again, we've seen that even well-known vulnerabilities are still prevalent in web applications," says Invicti president and chief operations officer, Mark Ralls.
"It's time for organisations to gain command of their security posture. The only way to do that is to ensure that security is in the DNA of an organisation's culture, processes, and tooling so that innovation and security go hand-in-hand."