Invicti Security Reports on Lost Year in Web Application Security
Invicti Security™, a global leader in web application security, today released the spring volume of its Invicti AppSec Indicator Report, which examines the prevalence of web vulnerabilities across more than 3,500 targets in every industry and more than 100 countries. The findings indicate that as organizations shifted focus to support remote work and business continuity amid the challenges of 2020, web application security suffered.
The report, released in previous years as the Acunetix Web Vulnerability Report, was developed through an examination of anonymized data collected via Acunetix, an Invicti DAST and IAST product used by thousands of companies and government organizations to discover and scan web assets for vulnerabilities and prioritize them for remediation. The large dataset includes data from more than 188,000 web scans, 173,000 network scans, and more than 290 million monthly HTTP requests provided the basis for the analysis.
Between 2016 and 2019, the number of high-severity and medium-severity vulnerabilities decreased steadily every year, with an average reduction rate of 22% in high-severity vulnerabilities year over year. If that trend had continued, the overall incidence of high-severity vulnerabilities would have decreased from 26% to about 20%. However, progress came to an abrupt halt in 2020, probably as a result of resource reallocation to address Covid-19 business impacts and enable remote work worldwide.
Among the 2020 report’s findings:
The overall prevalence of high-severity vulnerabilities such as remote code execution, SQL injection, and cross-site scripting, increased slightly from 26% to 27% of the targets scanned
Medium-severity vulnerabilities such as denial-of-service, host header injection, and directory listing, remained present in 63% of web apps in 2020, holding flat from 2019
Several high-severity vulnerabilities are well-understood, but did not show improvement in 2020. One example: the incidence of remote code execution, both well-known and damaging, increased by one percentage point last year.
Also of note: the incidence of server-side request forgery (SSRF), the primary vulnerability behind the recent Microsoft Exchange breach in 2021, as well as Capital One in 2019, has not improved year over year.
With many of the Covid-related changes to consumer and business behaviors expected to endure beyond the end of the pandemic, web application security is more critical than ever. From growing usage of business tools such as chat, web conferencing, and collaboration environments, to increased consumer adoption of e-commerce, attack surfaces continue to expand. Recent research indicates that the largest percentage of breaches in 2020 began with a web application, yet at the same time, the number and severity of a variety of other types of attacks reached new highs in 2020, diverting the time and resources of security organizations away from web application security.
This entry was posted on April 13, 2021 at 10:15 am and is filed under Commentary with tags Invicti Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Invicti Security Reports on Lost Year in Web Application Security
Invicti Security™, a global leader in web application security, today released the spring volume of its Invicti AppSec Indicator Report, which examines the prevalence of web vulnerabilities across more than 3,500 targets in every industry and more than 100 countries. The findings indicate that as organizations shifted focus to support remote work and business continuity amid the challenges of 2020, web application security suffered.
The report, released in previous years as the Acunetix Web Vulnerability Report, was developed through an examination of anonymized data collected via Acunetix, an Invicti DAST and IAST product used by thousands of companies and government organizations to discover and scan web assets for vulnerabilities and prioritize them for remediation. The large dataset includes data from more than 188,000 web scans, 173,000 network scans, and more than 290 million monthly HTTP requests provided the basis for the analysis.
Between 2016 and 2019, the number of high-severity and medium-severity vulnerabilities decreased steadily every year, with an average reduction rate of 22% in high-severity vulnerabilities year over year. If that trend had continued, the overall incidence of high-severity vulnerabilities would have decreased from 26% to about 20%. However, progress came to an abrupt halt in 2020, probably as a result of resource reallocation to address Covid-19 business impacts and enable remote work worldwide.
Among the 2020 report’s findings:
With many of the Covid-related changes to consumer and business behaviors expected to endure beyond the end of the pandemic, web application security is more critical than ever. From growing usage of business tools such as chat, web conferencing, and collaboration environments, to increased consumer adoption of e-commerce, attack surfaces continue to expand. Recent research indicates that the largest percentage of breaches in 2020 began with a web application, yet at the same time, the number and severity of a variety of other types of attacks reached new highs in 2020, diverting the time and resources of security organizations away from web application security.
The full report is available here.
Share this:
Like this:
Related
This entry was posted on April 13, 2021 at 10:15 am and is filed under Commentary with tags Invicti Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.