What vulnerabilities and security issues plague web and mobile apps?

By : Nata Kesuma | Wednesday, November 24 2021 - 21:00 IWST

Cybersecurity Jobs. PHOTO: Cybercrime Magazine.
Cybersecurity Jobs. PHOTO: Cybercrime Magazine.

INDUSTRY.co.id - One of the most compelling reasons organisations use third-party application security testing is to extend their own software security testing capability when circumstances make adding new resources problematic.

That’s certainly the case in today’s pandemic environment. According to research from Cybersecurity Ventures, the number of unfilled cybersecurity positions in the world currently is over 3.5 million — enough people to fill 50 football stadiums. 

In the U.S., nearly half of the estimated 950,000 cybersecurity positions are unfilled. The CyberSeek project of the National Institute of Standards and Technology in the U.S. Department of Commerce calls this a dangerous shortage, especially when you consider the rise of cyberattacks, data breaches, and ransomware holdups over the past 18 months.

“We’ve seen a heavy increase in assessment demand throughout the pandemic,” Girish Janardhanudu, vice president of security consulting at Synopsys Software Integrity Group said. “Cloud-based deployments, modern technology frameworks, and the rapid pace of delivery is forcing security groups to react more quickly as software is released. With insufficient AppSec resources in the market, organisations are leveraging application testing services such as those Synopsys provides in order to flexibly scale their security testing.”

Synopsys’ recently published its “2021 Software Vulnerability Snapshot” report, examining data from 3,900 tests on commercial web and mobile applications conducted by Synopsys security consultants during 2020. Industries represented in the report include software and internet, financial services, business services, manufacturing, media and entertainment, and healthcare.

The tests included penetration testing, dynamic application security testing, and mobile application security analyses, designed to probe running applications as a real-world attacker would, with the goal of identifying vulnerabilities that could then be triaged and remediated as necessary.

The need for a full spectrum of software security testing

A full 97% of the tests uncovered some form of vulnerability, with 30% having high-risk vulnerabilities, and 6% having critical-risk vulnerabilities. Twenty-eight percent of the applications tested had some exposure to cross-site scripting attacks, one of the most prevalent and destructive high- / critical-risk vulnerabilities impacting web applications. 

The report makes it clear why a full spectrum of application security testing is an essential component of managing software risk in today’s world. While “transparent box” testing such as static application security testing (SAST) can bring visibility to security issues early in the software development life cycle, SAST cannot uncover runtime security vulnerabilities. And some vulnerabilities cannot be easily detected by automated testing tools—they need human oversight to be uncovered. 

For example, the only effective way to detect an insecure direct object reference (IDOR), an issue that allows attackers to manipulate references in order to gain access to unauthorized data, is by having a human perform a manual test. 

Clearly, there’s no one best approach to application security testing. Humans need to perform the security tests they’re the most effective at carrying out, with their efforts augmented by automated testing.

2021 OWASP Top 10 vulnerabilities were discovered in 76% of the targets. Application and server misconfigurations were 21% of the overall vulnerabilities found in the tests, represented by the OWASP A05:2021 — Security Misconfiguration category. And 19% of the total vulnerabilities found were related to the OWASP A01:2021 — Broken Access Control category.

Insecure data storage and communication vulnerabilities plague mobile applications. Eighty percent of the discovered vulnerabilities in the mobile tests were related to insecure data storage. These vulnerabilities could allow an attacker to gain access to a mobile device either physically (i.e., accessing a stolen device) or through malware. Fifty-three percent of the mobile tests uncovered vulnerabilities associated with insecure communications. 

Even lower-risk vulnerabilities can be exploited to facilitate attacks. Sixty-four percent of the vulnerabilities discovered in the tests are considered minimal-, low-, or medium-risk. That is, the issues found are not directly exploitable by attackers to gain access to systems or sensitive data.

Nonetheless, even lower-risk vulnerabilities can be exploited to facilitate attacks. For example, verbose server banners—found in 49% of the tests—provide information such as server name, type, and version number, which could allow attackers to perform targeted attacks on specific technology stacks.

There is an urgent need for a software Bill of Materials. Of note was the number of vulnerable third-party libraries in use; they were found in 18% of the penetration tests conducted by Synopsys application testing services.

With many companies having hundreds of applications or software systems in use, each themselves likely having hundreds to thousands of different third-party and open source components, an accurate, up-to-date software Bill of Materials is urgently needed to effectively track those components

News Comment

Today's Industry

NORD-DuoDrive.jpg: The innovative and patented DuoDrive geared motor reaches outstanding system efficiency Image: NORD DRIVESYSTEMS

Selasa, 17 Mei 2022 - 14:00 WIB

NORD DRIVESYSTEMS at LogiMAT in Stuttgart From 31st May to 2nd June 2022 NORD will present innovative drive solutions for intralogistics

The specialist LogiMAT exhibition in Stuttgart offers as comprehensive overview of the intralogistics and process management market. As one of the market leaders for drive technology, NORD presents…

President Jokowi attends the meeting between ASEAN leaders and American entrepreneurs at Intercontinental the Willard Hotel, Washington DC, Thursday (05/12). Photo by: Laily Rachev

Selasa, 17 Mei 2022 - 13:00 WIB

President Jokowi Invites US CEOs to Boost Cooperation with Indonesia

President Joko “Jokowi” Widodo has invited company CEOs in the United States to boost cooperation with ASEAN countries, particularly Indonesia.

President Jokowi, President Biden, and ASEAN Leaders on a group photo prior to the dinner, at the White House, Washington D.C., Thursday (05/12)

Selasa, 17 Mei 2022 - 12:28 WIB

President Jokowi, ASEAN Leaders Attend Dinner Hosted by US President

President Joko “Jokowi” Widodo Thursday (05/12) attended a dinner with the leaders of ASEAN countries hosted by President of the United States Joe Biden at the White House, Washington D.C.

(Photo: © 2022 KRAIBURG TPE)

Selasa, 17 Mei 2022 - 11:23 WIB

TPE unleashes benefits for pet accessories

The pet care market is rapidly expanding as pet ownership increases, as does spending on pet food, grooming tools, and accessories. Pet owners are significantly concerned about the prevalence…

Sergey Sedov, Founder and CEO of Robocash Group

Jumat, 13 Mei 2022 - 16:15 WIB

Robocash Group reached 2 BN USD of disbursement and issued audited financial report of 2021

Robocash Group publishes the audited combined financial statements for the year ended 31 December 2021. The Group reached an all-time high 2 BN USD of issued financing and is expected to increase…