Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Application Security Risk Report 2019: 6 takeaways for your team

Jaikumar Vijayan Freelance writer

Automated testing tools are allowing researchers to look for more types of security flaws in more software products than ever before, which has resulted in a sharp increase in the number of bugs reported to the National Vulnerability Database.

Micro Focus' Software Security Research team recently analyzed public data and data from vulnerabilities detected in over 11,000 applications using its Fortify on Demand platform. The analysis showed that a total of 16,517 application security issues were reported to the NVD in 2018—the most ever in a single year.

That's a 12.8% increase over the 14,647 vulnerabilities reported in 2017, which in turn is double the 6,446 reported for 2016. The largest number of reported vulnerabilities were associated with products from Google (770), Oracle (713), Microsoft (704), and IBM (607). Ten vendors accounted for nearly four out of every 10 vulnerabilities reported to the NVD in 2018—roughly the same as in 2017.

While the massive increase in vulnerabilities over the past two years might suggest deteriorating software quality, the 2019 Application Security Risk Report reveals that more bugs are likely being discovered because automated tools have made it easier for researchers to broaden their focus.

Before 2017, more than 80% of all vulnerabilities came from 10 categories of coding defects, as classified by the Common Weakness Enumeration (CWE) framework. For the past two years, however, a greater number of CWEs—18 in 2017 and 19 in 2018—were necessary to exceed the 80% threshold.

That means researchers are looking for security issues across a broader set of vulnerability classes, the report noted. For instance, in 2017 and 2018 many more vulnerabilities were reported that pertained to issues such as Use After Free, NULL Pointer Dereference, Integer Overflow, and Improper Access Control than in previous years.

Here are the top takeaways from the latest Application Security Risk Report.

1. High-severity vulnerabilities declined (again)

Despite the sharp uptick in the number of overall vulnerabilities reported to the NVD last year, the proportion of them that were of high severity actually declined year over year. In fact, at 26%, the proportion of high-severity bugs in 2018 was the lowest in four years and the second lowest in a decade.

"The analysis of CWEs behind reported CVEs in the NVD indicates that certain types of weaknesses are more prevalent than others," said Alexander Hoole, head of Software Security Research at Micro Focus. Buffer overflow errors (CWE-119), for instance, have been the most widely reported CVE for eight out of the last 10 years.

"This makes sense since CVEs are representing vulnerabilities in software artifacts consumed by others."
—Alexander Hoole

Hoole said it's hard to know for certain the reason for the decline in high-severity vulnerabilities. One possibility is that researchers are looking for flaws that are likely to have the broadest impact. And these need not be flaws of the highest severity.

CVEs are typically created for software artifacts, which are consumed by frameworks, components, server software, and operating systems.

"Since CVEs affect all consumers of the related artifacts, vulnerability researchers will likely target software artifacts that have the largest impact first. Over time, that can lead to a trend toward fewer high-severity issues."
—Alexander Hoole

Other reasons could be at play as well, he said. Bug bounty programs, for instance, could be encouraging researchers to prioritize certain types of software weaknesses over others. The decline in high-severity bugs in 2018—both in absolute terms and as a proportion—coincided, however, with a sharp increase in medium-security vulnerabilities. Last year, medium-security vulnerabilities accounted for 59% of all vulnerabilities, while low-severity flaws rose to 15%.

2. Open source: A clear and present danger

The open-source components that developers use to build applications remain the biggest cause for reported vulnerabilities. Last year, 80%, or eight out of every 10, open-source downloads contained at least one security vulnerability. The most reported vulnerabilities were in Debian Linux (955), Android (611), Ubuntu Linux (496), and three flavors of Red Hat Enterprise Linux—Enterprise Linux Server (394), Enterprise Linux Workstation (378), and Enterprise Linux Desktop (369).

Software organizations that are under pressure to release apps quickly are increasingly using vulnerable open-source components and putting themselves at greater risk in the process. Attackers have noticed the trend and have increased activity aimed at polluting the open-source supply chain, the report said.

In 2018, there were at least six incidents where attackers attempted to poison open-source libraries with backdoor code. For organizations, the trend highlights the need for greater attention to open-source dependency and component management.

3. Nearly all web apps have bugs in their security features

Micro Focus' analysis of Fortify on Demand data showed that 94% of the over 11,000 apps tested had vulnerabilities in their security features. The data also showed a doubling in code quality and API related issues.

Generally, the most common vulnerabilities in web applications continued to be the same as in recent years. For instance, 60% had input validation errors, 70% had encapsulation flaws, and over one-third (35%) had API abuse issues.

4. Mobile apps showed a sharp increase in some vulnerability types

Micro Focus analyzed 700 mobile applications and found that while developers appear to be making headway addressing some flaws—like those that enable brute force attacks—code quality issues overall increased year over year. Nearly all (96%) mobile apps had issues with security features, 79% suffered from encapsulation errors, and 68% reported input validation issues.

"We see more hackers point their attention to mobile apps, sometimes to directly attack the app, and other times to use the app as an easier entry point to attack a cloud service," said Asaf Ashkenazi, chief strategy officer at Verimatrix.

Attackers are increasingly using dynamic analysis tools to reverse engineer mobile apps and are accelerating the discovery of vulnerabilities and the construction of exploits in the process, he said. 

"To make sure an app is secure, it needs to be shielded and hardened, to make sure reverse engineering is nearly impossible, and exploit attempts are detected before they can cause damage."
Asaf Ashkenazi

5. DevOps adoption is increasing

About 75% of organizations have either moved their development to a DevOps model or are considering moving to one, Micro Focus said in its report. More than half (58%) these days test their code at every stage of the development process, while 30% test with each code change.

"On the whole, we are seeing more maturity across the space with organizations working to reduce the risk of breaches by identifying and mitigating vulnerabilities earlier."
—Alexander Hoole

Companies that are not actively trying to identify and mitigate application security risk are likely to have a much higher latent risk than those involved in such activity, he said.

"We see many customers taking an intelligent approach of choosing when and what technologies are deployed for detecting and mitigating different types of application security risk."
—Alexander Hoole

6. Bug bounty programs have a limited impact

Crowd-sourced bug-bounty programs have increased in popularity in recent years. Hundreds of enterprise organizations have signed up for these programs hoping that having a crowd of researchers probe their products will result in the discovery of more vulnerabilities. In reality, only about 4.3% of the vulnerabilities that were disclosed last year came via these programs.

"Bug hunting programs can be a valuable instrument when they are used correctly. However, these programs cannot replace other security practices."
—Asaf Ashkenazi

Having a bug bounty program doesn't negate the need for security reviews or training software developers to use secure coding practices. Bounty programs also do little do protect code after development, Ashkenazi noted.

"Bug hunting programs help finding bugs missed by the company’s engineers. It is not intended to replace secure coding, and it is certainly not guaranteed to find all vulnerabilities."
Asaf Ashkenazi

All eyes on development practices

The top contributors to software vulnerabilities have remained more or less the same over the past 10 years and include coding mistakes such as buffer overflows, improper input validation, cross-site scripting, path-traversal, SQL injection, and code execution. 

Hoole said there are many variables involved in assessing whether application security is improving, declining, or remaining the same. But with few exceptions, vulnerability trends show that application security is becoming more important to enterprise organizations, he said.

"GDPR, and other recent privacy legislations, will likely have a stronger impact on development practices moving forward."
—Alexander Hoole

Read more articles about: SecurityApplication Security