Drop in Web App Flaws in 2016, Likely Not a Sign of Improved Security

Flaws in Web applications declined in 2016, but this doesn't reflect an improvement in software security because the number of vulnerabilities in other application types is set to increase, security firm says.

Software Flaw Research 2

The number of vulnerabilities reported in Web applications decreased slightly in 2016 over the previous year, with flaws in popular content-management systems dramatically declining, security firm Imperva stated in an analysis released last week.

While the decrease in Web vulnerabilities could be considered a sign of improving security for online applications, Nadav Avital, technical lead for Imperva's application security research team, told eWEEK, that's unlikely to be the case.

The fast-changing software landscape—with industrial control systems, the Internet of Things and mobile applications all relatively fertile fields of vulnerability research—is more likely attracting attention from security researchers, and away from Web applications, he said.

"Vulnerability researchers are always looking for the easy prey," he said. "It is always easier to find vulnerabilities in stuff that has little security or no security—this is an explanation that we feel much more comfortable with."

Newer programming languages seem to have attracted more attention from security researchers. Both PHP—the latest major version of which was released in December 2015—and Ruby saw an increase in reported vulnerabilities last year. Older languages, such as Java and .NET, saw fewer in 2016.

Content management systems, such as Drupal and Wordpress, saw fewer vulnerabilities in 2016 than the previous year. The number of Drupal vulnerabilities dropped by almost a factor of 10, while Wordpress saw the number of flaws affecting the platform drop in half, according to Imperva data.

Issues with popular plugins continued to hamper the publishing platforms, however.

"You do not see vulnerabilities in the core applications themselves," Avital said. "And this is part of the problem. You have thousands of these add-ons."

More than a quarter of vulnerabilities—27 percent—were considered by Imperva to be especially high risk. The company manually reviews vulnerabilities to identify the severe issues and mitigate their potential impact.

Of the flaws analyzed by Imperva, the greatest number—but not the majority—could allow an attacker to conduct a denial-of-service attack. Cross-site scripting and buffer overflows were the second and third most common attacks enabled by reported vulnerabilities, according to Imperva.

Web-application vulnerabilities were not the most exploited issues, according to another firm's research. In December, data-analytics firm Recorded Future listed the most-exploited vulnerabilities for the year. Of the top-10 software issues, six affected Adobe Flash, two involved Microsoft's Explorer web browser, one affected Windows and another the last version of Microsoft’s Silverlight.

The top-10 exploited vulnerabilities were completely different from the previous year, showing that exploit kits cycle through vulnerabilities quickly, switching to newer issues to remain effective against adapting defenses.

"The teams behind these exploit kits continue to add fresh exploits for software as increased effectiveness in delivering the ‘customer’s’ payload will generate more revenue," the company said.

Unlike the Imperva research, Recorded Future did not focus on Web attacks, but exploit kits that attempted to compromise—mostly—Windows machines.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...