Even though it is a critical fact, web application security across organizations is getting less attention amid the pandemic.
With companies shifting their focus to support remote work as well as business continuity amid the challenging marketplace, web application security has been suffering – claims a recent Invicti Security study.
In between 2016 to 2019, the number of high-severity and medium-severity security vulnerabilities had decreased steadily every year. This was with an average reduction rate of 22% for high-severity vulnerabilities yea- over-year.
If the above trend had continued, the general incidence of high-severity security vulnerabilities would have declined from 26% to around 20%. However, this progress came to an abrupt halt in early 2020 – as a result of resource re-allocation to address pandemic-induced business impacts, enabling remote work globally.
Some of the principal highlights from the study –
- The entire prevalence of high-severity vulnerabilities including SQL injection, remote code execution, and cross-site scripting has increased slightly (from 26% to 27%) of the targets scanned.
- Medium-severity security vulnerabilities such as host header injection, denial-of-service, and directory listing have remained present in about 63% of web apps in 2020 – holding flat from 2019.
- Several high-severity security vulnerabilities are well recognized, however, they did not show improvement in 2020. For instance, the incidence of remote code execution – both well-known and damaging has increased by 1% point last year.
- The incidence around server-side request forgery (SSRF), the main vulnerability behind the latest Microsoft Exchange breach in 2021, and Capital One in 2019 have not improved YOY.
With several pandemic-related changes to the consumer as well as business, behaviors are expected to endure beyond the end of this situation and web application security is more significant than ever.
From the increasing usage of business tools such as IM chat, web collaboration environments, and web conferencing to increased consumer approval of e-commerce, cyber-attack surfaces will continue to expand.
The study indicates that the largest percentage of breaches in 2020 started began with a web application. Yet, at the same time, the severity and number of a variety of attacks reached new highs amid the global pandemic.
Clearly, this has diverted the time and resources of security enterprises away from web application security. Besides, it is very troubling to see the current loss of momentum due to concentrated attention to web application security.
In this context, Mark Ralls, President and COO at Invicti cited – “As we look ahead, we hope to see organizations adopt best practices and invest in security so that they can continue to advance their web security posture, protect their customers, and avoid being the next big security breach headline.”