Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Web Application Vulnerabilities Continue to Grow, Imperva Reports

    By
    SEAN MICHAEL KERNER
    -
    January 9, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Imperva State of Web Application Vulnerabilities in 2018

      2018 was not a good year for web application vulnerabilities, with 17,142 reported issues, according to a report released on Jan. 9 by Imperva.

      The 2018 tally for web application vulnerabilities represents a 21 percent year-over-year increase from 2017. There are multiple types of web applications vulnerabilities, among the most common being Cross Site Scripting (XSS) vulnerabilities, which doubled in 2018 and represented 14 percent of reported issues. The top issue, however, was injection vulnerabilities, which grew by a staggering 588 percent year-over-year and represented 19 percent of web applications vulnerabilities reported in 2018.

      “Microsoft and IBM had a major influence as more injection vulnerabilities were published in 2018 than in 2017,” Nadav Avital, research manager of threat analytics at Imperva, told eWEEK.

      In an injection vulnerability, code or data is injected into a web application data path leading to some form of unexpected result. There are multiple types of injection vulnerabilities, with SQL injection being among the most well-known. With SQL injection, an attacker inputs unexpected data into a database SQL query, which can lead to data exfiltration. Imperva reported that in 2018 there were 1,354 reported SQL injection vulnerabilities. An even larger injection issue, however, is remote command execution (RCE), which had 1,980 reported vulnerabilities in 2018. With an RCE, an attacker can remotely exploit a vulnerable application via some form of malicious input.

      There are several reasons why injection vulnerabilities have grown over the past year.

      “On one hand, there are developer communities that don’t enforce security best practices in the development life cycle,” Avital said. “On the other hand, bug bounty programs are becoming more popular and widely adopted by the industry.”

      In bug bounty programs, researchers are awarded a “bounty,” that is a financial reward for responsibly disclosing a vulnerability. Many bug bounty programs put a focus on injection vulnerabilities as a primary class of bug to identify.

      IoT Vulnerabilities

      While the volume of injection vulnerabilities grew in 2018, internet of things (IoT) vulnerabilities went the other direction, with fewer IoT vulnerabilities reported in 2018 than there were in 2017.

      “2018 bore good news for the IoT industry as more organizations are showing interest in developing security standards and best practices,” Avital said. 

      Among the standards and best practices announced in 2018 for IoT security was one from the U.S. National Institute of Standards and Technology (NIST) in May. In addition, the Open Web Application Security Project (OWASP) released the new list of top 10 risks in IoT. 

      “These are all signs that the IoT industry, and in turn IoT vendors, is investing more in security,” Avital said.

      Patching Rates

      While the number of overall vulnerabilities is concerning, there is another key trend identified by Imperva that might have even more impact. Imperva reported that of the web application vulnerabilities reported in 2018, 38 percent do not have an available solution, such as a software upgrade workaround or software patch.

      “While there is no available solution, there is also no guarantee that all of these vulnerabilities are exploitable,” Avital said. “Some are and some are not.”

      Avital added that the lack of patches for so many web application vulnerabilities is one of the reasons that organizations should rely on “security in depth” and have multiple security solutions, like a web application firewall, to protect IT assets. 

      What’s Next?

      Looking at what trends are likely to emerge in 2019, Avital said he expects that injection vulnerabilities will continue to grow.

      Additionally, Avital highlighted potential risks that are coming from the widely deployed PHP programming language, which is used inside many content management systems (CMS) and web applications. At the end of 2018, PHP announced that versions 5.5, 5.6 and 7.0 reached their end of life. That means that these versions will no longer receive security updates. 

      “The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions, since they will not be fixed and impact every application built with these outdated versions,” he said. “For example, according to Shodan, there are currently 34K servers with these unsupported PHP versions.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×