Developers continue to leave the vast majority of Web applications open to attack by leaving behind unused code, working with vulnerable third-party libraries and by allowing code frameworks to make requests for content from third-party sites, according to a report released this week.
The data, collected by application-security firm tCell by observing real attacks on web applications, shows that legacy and third-party code add a significant amount of risk to applications. More than 90 percent of companies had “orphaned routes”—unused code in their applications that could be exploited and do not serve any purpose. In addition, 88 percent of companies had Web applications that used vulnerable third-party libraries, the report stated.
The data is based on 33 in-production applications and the real-world attacks those applications encountered, Michael Feiertag, CEO and co-founder of tCell told eWEEK.
“It’s not just what are the theoretical problems, but what are the real-world issues that come up with these environments,” he said. “This is important, because once you have a really good handle on the risk profile of the application, then you can start implementing policies to secure the application.”
Most Web application developers, if they focus on security, aim to prevent vulnerabilities that fall into the Top-10 list of the Open Web Application Security Project (OWASP). The latest release candidate of the vulnerability list, published in April 2017, focuses on issues such as database injection, poorly coded authentication components and cross-site scripting. Yet, the tCell data shows that the sources of many of the application-risks are actually legacy and third-party code.
While more than 90 percent of companies had unused code in their applications that posed a security risk, 27 percent had more than 100 orphan routes. Fixing these routes “represents an opportunity to reduce the attack surface (risk) without any reduction in application functionality or business benefit,” the report stated.
The company also found that 88 percent of in-production Web applications used at least one vulnerable code library or package. The typical Web application used 180 packages, almost 60 percent of which were outdated, the report stated.
In addition, the average application pulled data from more than 25 domains, including 13 percent which pulled data from advertising, spyware or malware domains.
Finally, the data showed that companies need to develop the ability to reduce false alerts—also known as false positives, the report stated. While more than 494,000 cross-site scripting (XSS) attacks were attempted, for example, only 0.0001 percent of the attacks actually succeeded in changing browser content and required a response.
“It is not helpful to identify those half-million attack attempts, because there is nothing that you can do with that,” Feiertag said. “But if you can use the data to isolate the attacker, then you can shut down the attacks.”