You are here

State of app security 2016: Most common vulnerabilities, top trends

public://pictures/Jaikumar-Vijayan-Freelance-Writer.png
Jaikumar Vijayan, Freelance writer

The old aphorism about information security being a journey and not a destination is perhaps nowhere more apparent than in the application security realm. For years, experts have advocated the need for security to be baked into the development process and not bolted onto it like a reluctant afterthought. Many major vendors and enterprises have, in fact, made security an integral part of software development life cycle (SDLC) practices for some time.

Efforts like the Open Web Application Security Project (OWASP), and its mobile application counterpart, have contributed significantly to raising overall awareness of the most common vulnerabilities in web and mobile apps and how to address them. Yet progress in application security has remained excruciatingly hard to come by, as Hewlett Packard Enterprise’s recently released Cyber Risk Report 2016 shows.

As it has done previously, HPE reviewed the state of application security as part of its overall assessment of the cybersecurity landscape in 2015. The review was based on scan data collected by HPE Security’s Fortify on Demand service between October 2014 and October 2015. The data set was drawn from over 7,000 web and desktop apps and over 450 mobile apps.

What the review showed was that many of the most critical vulnerabilities in application software were the same as those in previous years, suggesting that software developers are continuing to stumble over the same issues, despite knowing about them. 

“Both applications and mobile software pose unique challenges to developers, and various vulnerabilities detected in these platforms support that impression.” — HPE Cyber Risk Report 2016

[ Take a deep-dive into app sec with our Application Security Trends and Tools Guide, which includes our 2019 App Sec Buyer's Guide. ]

HPE 2016 Cyber Risk Report: 4 application security takeaways

Here in no particular order are four major takeaways on application security from the report:

1. Traditional applications, traditional problems

Dominating the charts this year again were errors pertaining to encapsulation, environment, security features, and input validation. Seventy-two percent of web applications and 93 percent of mobile application had at least one encapsulation error, such as a privilege escalation flaw, while 77 percent of web apps and 88 percent of mobile apps had environmental flaws, such as configuration errors.

Application security trends, anaysis and vulnerabilities.

Vulnerabilities related to security features, such as authentication and access control issues and encryption errors, were present in an astounding 90 percent of web apps and 99 percent of mobile apps. In fact, vulnerabilities related to security features dominated all other vulnerability categories in the case of both web applications and mobile apps. The trend is ironic considering that features such as authentication and encryption are supposed to make apps stronger, not weaker.

For the report, researchers differentiated the most commonly occurring security vulnerabilities from the most critical ones and found that the most severe threats were not always the most prevalent ones. About one-third of the applications that researchers scanned showed at least one critical-severity or high-severity flaw.

Topping the list of the 10 most commonly occurring critical severity vulnerabilities in applications were weak SSL protocols, cross-site scripting issues, and null pointer errors.

The top 10 most commonly occurring application vulnerabilities.

The researchers described the high incidence of applications with SSL vulnerabilities as disappointing, especially considering the attention generated by SSL flaws such as the POODLE vulnerability.

“It’s likely that many applications continue to use weak SSL protocols and ciphers for backward-compatibility purposes, but it’s still a dangerous choice."

About 11 percent of the scanned apps had what HPE described as privacy violation errors. The median number of privacy-related vulnerabilities in these apps was 10, which was higher than the median number of vulnerabilities of other types. Perhaps most surprisingly, 10 percent of the applications it scanned last year had hard-coded passwords in them.

“Five years after Stuxnet made clear the profound security shortcomings of making a 'password' part of the code itself, this particular vulnerability should embarrass any software architect that allows it to happen.” — HPE Cyber Risk Report 2016

2. Mobile apps beset with different issues

The security issues affecting mobile applications tended to be generally different from the issues affecting web applications, though there was overlap in certain areas. Internal system information leaks and data storage errors were a particular concern for many mobile applications, especially those storing a lot of personally identifiable information as well as geolocation and keyboard caching data.

About 88 percent of the mobile applications that HPE inspected had what the company described as insecure storage and privacy violations. The tendency by many mobile device users to install both trusted and untrusted applications on devices used for work purposes heightened the concerns around such flaws, according to the report.

Other top mobile security concerns included insecure transport of authentication information, null pointer errors, and inadequate account and account management features.

The top 10 most common critical-severity mobile application vulnerabilities

Errors in security features such as access control errors and authentication errors were a big issue with mobile applications as well. In fact, mobile applications had even more problems with security features than web applications.

The research showed that mobile applications generally tended to be far more prone to misuse than web and traditional applications. The researchers identified the issue as most likely having to do with immature software development practices and a lack of adherence to best practices for mobile-specific frameworks and APIs in areas such as push notifications, ad frameworks, and the calendar app.

[ Application layer attacks are on the rise. Get key takeaways from the 2019 Application Security Risk Report in this webinar. ]

3. It's open season for open-source software

The review of 287 open-source applications across more than 10 programming languages showed a couple of interesting distinctions between the vulnerabilities impacting Java applications and flaws in PHP-based applications.

A massive 97 percent of the scanned Java apps, for instance, had code quality errors. While quality concerns do not automatically imply a lack of security, the two issues have often tended to go hand in hand.

In stark contrast to Java apps, the PHP apps that HPE scanned did not have any code quality issues, at least not straight out of the box. Instead, 97 percent of them had input validation and representation errors, such as SQL injection, cross site scripting, and buffer overflow errors, compared to 76 percent of Java applications.

As with web applications and traditional applications, security features were a big source of concern with both Java and PHP applications. Some 82 percent of Java applications and 87 percent of PHP apps contained password management, privacy violation, and other issues related to the security features on these application. “Their presence implies that these applications do not take good care of private data,” the study concluded.

The situation was not too different with the Java and PHP open-source libraries that are often used in enterprise applications. HPE's scanning data showed that code quality, input validation, and representation errors and vulnerabilities in security features topped the list of most common vulnerabilities in open-source libraries just as they did with open-source applications.

Top 10 open source vulnerability categories across applications and libraries

4. Commercial software holds security edge over open source

A comparison of the security issues in commercial apps and those in open-source applications suggests that developers of commercial software are generally doing a better job at security than their open-source counterparts, according to HPE.

The only area where both categories of software were similar involved security. Features ostensibly designed to protect critical application operations ironically were the biggest source of problems in both open-source and commercial apps. The review showed that authentication, confidentiality, privilege management, cryptography, and access control features were major sources of vulnerabilities in commercial and open-source applications alike.

But at the end of the day, developers of commercial software appear to be doing a better job overall of addressing certain types of security issues than their open-source counterparts, HPE said.

A lot more Java and PHP applications, for instance, are susceptible to input validation and representation errors, such as buffer overflows, SQL injection, and cross-site scripting issues, than commercially developed software. While only 44 percent of commercial software had these errors, 76 percent of open Java apps and 97 percent of open PHP apps had them. Similarly, while 97 percent of open Java apps exhibited some sort of code quality error, only 21 percent of commercial apps were susceptible to the same issue.

One reason that developers of commercial software seem to be doing a better job overall with certain vulnerability categories could be their better access to tools for finding memory management and other issues in software.

Because commercial apps in the study were subjected to both dynamic and static scans, they tended to exhibit more privilege escalation, data exposure, and other encapsulation errors than open source code that was subjected only to static scans, the company added.

Importantly, the report takes some time to examine the implications of the growing use of open-source libraries and components in commercial software. Seventy-nine percent of the applications that HPE scanned used at least one open-source library, and often several more. In contrast, only 65 percent of the apps scanned in 2014 used an open-source component. More than half the code in some 44 percent of the applications was comprised of open-source components.

Despite the trend, developers and administrators of enterprise applications continue to be somewhat lax about the security of open-source components in their applications. The HPE review showed that while maintainers of open source code are typically quick to patch security vulnerabilities, commercial software developers and administrators often lag well behind in addressing them.

Remediation efforts show improvement

The report offers some interesting insight into the correlation between vulnerability scanning methods and the speed with which vulnerabilities are remediated.  Enterprises tend to do substantially more static scans than dynamic scans, with the data showing a median of six days between static scanning and 27 days between the dynamic scanning.

System information leak issues and other low-severity vulnerabilities uncovered during a static scan often are addressed very quickly. But the more serious vulnerabilities uncovered via static scans take between 31 and 60 days to remediate because of the longer investigations and the greater amount of time needed to develop patches for them.

In contrast, severe vulnerabilities uncovered during dynamic scans are addressed quickly and typically within the first few days of discovery. The difference in response time may have a lot to do with the differing quality of the information presented to developers by the two scanning technologies, HPE said.

Image credit: Flickr

[ Get Report: Gartner Magic Quadrant for Application Security Testing 2019 ]