Drop in Web App Flaws in 2016, Likely Not a Sign of Improved Security
Flaws in Web applications declined in 2016, but this doesn't reflect an improvement in software security because the number of vulnerabilities in other application types is set to increase, security firm says.The number of vulnerabilities reported in Web applications decreased slightly in 2016 over the previous year, with flaws in popular content-management systems dramatically declining, security firm Imperva stated in an analysis released last week. While the decrease in Web vulnerabilities could be considered a sign of improving security for online applications, Nadav Avital, technical lead for Imperva's application security research team, told eWEEK, that's unlikely to be the case. The fast-changing software landscape—with industrial control systems, the Internet of Things and mobile applications all relatively fertile fields of vulnerability research—is more likely attracting attention from security researchers, and away from Web applications, he said. "Vulnerability researchers are always looking for the easy prey," he said. "It is always easier to find vulnerabilities in stuff that has little security or no security—this is an explanation that we feel much more comfortable with."
"You do not see vulnerabilities in the core applications themselves," Avital said. "And this is part of the problem. You have thousands of these add-ons."More than a quarter of vulnerabilities—27 percent—were considered by Imperva to be especially high risk. The company manually reviews vulnerabilities to identify the severe issues and mitigate their potential impact. Of the flaws analyzed by Imperva, the greatest number—but not the majority—could allow an attacker to conduct a denial-of-service attack. Cross-site scripting and buffer overflows were the second and third most common attacks enabled by reported vulnerabilities, according to Imperva. Web-application vulnerabilities were not the most exploited issues, according to another firm's research. In December, data-analytics firm Recorded Future listed the most-exploited vulnerabilities for the year. Of the top-10 software issues, six affected Adobe Flash, two involved Microsoft's Explorer web browser, one affected Windows and another the last version of Microsoft’s Silverlight. The top-10 exploited vulnerabilities were completely different from the previous year, showing that exploit kits cycle through vulnerabilities quickly, switching to newer issues to remain effective against adapting defenses. "The teams behind these exploit kits continue to add fresh exploits for software as increased effectiveness in delivering the ‘customer’s’ payload will generate more revenue," the company said. Unlike the Imperva research, Recorded Future did not focus on Web attacks, but exploit kits that attempted to compromise—mostly—Windows machines.