September 25, 2018 By Sue Poremba 3 min read

A recent study shined a light on an attack vector that is often overlooked: the insecurity of web applications.

According to the report, issued by Positive Technologies, 44 percent of web applications are vulnerable to data leakage and security problems. In other words, threat actors have easy access to the personal customer data those applications handle across a variety of verticals such as banking, e-commerce and communications.

In addition, 48 percent of the applications were found to be vulnerable to unauthorized access, with 17 percent having exploits that could result in a full takeover by a threat actor. But perhaps the most eye-opening finding is that 100 percent of the web applications tested had some sort of vulnerability in general.

Security as an Afterthought

The web app as an attack vector isn’t a new problem, although we may not have realized how severe the vulnerabilities were. And worse, we’ve allowed the problem to linger: Many developers and IT decision-makers don’t take web app security seriously. Mozilla gave 93 percent of websites it observed a failing grade for security against cross-site scripting (XSS), for example. Application security tends to be treated as an afterthought, pushed behind other, more pressing security issues.

The biggest problem, no matter the programming language used, is XSS, according to the report. The authors also pointed to data leakage, fingerprinting and brute-force attacks as common issues across the board.

App Security Lags Despite Increasing Awareness

“Web application security is still poor and, despite increasing awareness of the risks, is still not being prioritized enough in the development process,” said Leigh-Anne Galloway, Positive Technologies cybersecurity resilience lead, as quoted in Infosecurity Magazine. “Most of these issues could have been prevented entirely by implementing secure development practices, including code audits from the start and throughout.”

Why is web app security falling behind? In a blog post for Secure Code Warrior, Pieter Danhieux blamed human behavior, stating that not only do humans behave in ways that introduce vulnerabilities and security threats, but developers aren’t always brought into the security loop.

“How are developers supposed to write secure code if nobody ever teaches them about why it’s important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?” he wrote.

How Cybercriminals Exploit Web Applications to Spread Malware

The Postitive Technologies report cited two primary areas of motivation for cybercriminals to take advantage of web application vulnerabilities. The first is to use apps to infect and spread malware throughout enterprise networks.

“This method was used to spread the Bad Rabbit ransomware: attackers compromised web applications belonging to media outlets and masked malware as an Adobe Flash Player update installer,” the report explained.

In another case, an attacker exploited a vulnerability to disseminate phishing emails targeting bank employees.

Some threat don’t even involve direct attacks against web apps; cybercriminals can use applications in various ways to launch malware attacks. The moment your website or web application is compromised — no matter the method — your organization’s reputation takes a hit, which can lead to financial loss.

Data Theft in a Regulated World

The report also cited data theft as a key motivation for targeting web applications. Data leakage is a problem in any situation, be it customer data or corporate intellectual property. However, the stakes of stolen data have been raised in a post-General Data Protection Regulation (GDPR) and a pre-California Consumer Privacy Act (CCPA) world.

As more states decide to step up measures to protect customer data, any type of data loss can create extraordinary headaches for company leaders. Loss of data can cost an organization hundreds of thousands to millions of dollars in fines, according to data compiled by TermsFeed. At the same time, as more effort is put into data protection, stolen data will become more valuable on the dark web, encouraging threat actors to improve their targeting and attack styles.

How Can Companies Protect Web Applications?

Data privacy regulations require most companies to improve their web application security capabilities. IT leaders can start by building security measures directly into the app’s design as a way to put consumer security and privacy front and center.

“For application security, this means that security and privacy need to be thought about in the planning stages of the Software Development Life Cycle (SDLC),” cybersecurity expert Amit Ashbel wrote for ITProPortal. “Unfortunately, this is not currently the case with many organizations so this will be a large task for the industry.”

Built-in security and privacy measures are crucial. Web app developers should also implement a web application firewall, bolster password management, deploy mobile application management features and install security plugins where available.

As the Positive Technologies report pointed out, it is clear that security issues in web applications aren’t getting the attention they require, because their annual studies are finding the same mistakes and concerns repeating themselves. Lax security may have been overlooked in the past, but as privacy regulations and their consequences gain traction, application vulnerabilities and data leakage can cost your organization more than just a light fine and a slap on the wrist.

Read the IBM e-guide: 5 Steps to Achieve Risk-based Application Security Management

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today