Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/14/2021
01:40 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Invicti Security Reports on Lost Year in Web Application Security

Covid-19, remote work, and economic headwinds interrupted progress, putting businesses and consumers at risk.

AUSTIN, TEXAS – April 13, 2021 – Invicti Security™, a global leader in web application security, today released the spring volume of its Invicti AppSec Indicator Report, which examines the prevalence of web vulnerabilities across more than 3,500 targets in every industry and more than 100 countries. The findings indicate that as organizations shifted focus to support remote work and business continuity amid the challenges of 2020, web application security suffered.

The report, released in previous years as the Acunetix Web Vulnerability Report, was developed through an examination of anonymized data collected via Acunetix, an Invicti DAST and IAST product used by thousands of companies and government organizations to discover and scan web assets for vulnerabilities and prioritize them for remediation. The large dataset includes data from more than 188,000 web scans, 173,000 network scans, and more than 290 million monthly HTTP requests provided the basis for the analysis.

Between 2016 and 2019, the number of high-severity and medium-severity vulnerabilities decreased steadily every year, with an average reduction rate of 22% in high-severity vulnerabilities year over year. If that trend had continued, the overall incidence of high-severity vulnerabilities would have decreased from 26% to about 20%. However, progress came to an abrupt halt in 2020, probably as a result of resource reallocation to address Covid-19 business impacts and enable remote work worldwide. 

Among the 2020 report’s findings:

  • The overall prevalence of high-severity vulnerabilities such as remote code execution, SQL injection, and cross-site scripting, increased slightly from 26% to 27% of the targets scanned
  • Medium-severity vulnerabilities such as denial-of-service, host header injection, and directory listing, remained present in 63% of web apps in 2020, holding flat from 2019
  • Several high-severity vulnerabilities are well-understood, but did not show improvement in 2020. One example: the incidence of remote code execution, both well-known and damaging, increased by one percentage point last year.
  • Also of note: the incidence of server-side request forgery (SSRF), the primary vulnerability behind the recent Microsoft Exchange breach in 2021, as well as Capital One in 2019, has not improved year over year.

With many of the Covid-related changes to consumer and business behaviors expected to endure beyond the end of the pandemic, web application security is more critical than ever. From growing usage of business tools such as chat, web conferencing, and collaboration environments, to increased consumer adoption of e-commerce, attack surfaces continue to expand. Recent research indicates that the largest percentage of breaches in 2020 began with a web application, yet at the same time, the number and severity of a variety of other types of attacks reached new highs in 2020, diverting the time and resources of security organizations away from web application security. 

“It’s very troubling to see this loss of momentum due to reduced attention to web application security,” said Invicti president and COO Mark Ralls. “As we look ahead, we hope to see organizations adopt best practices and invest in security, so that they can continue to advance their web security posture, protect their customers, and avoid being the next big security breach headline.”

The full report is available here.

Related:

2020 Acunetix Web Application Vulnerability Report

2019 Acunetix Web Application Vulnerability Report

About Invicti Security

Invicti Security is changing the way web applications are secured. A global leader in web application security for more than 15 years, Invicti’s dynamic and interactive application security products help organizations in every industry scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture. Invicti’s product Netsparker delivers industry-leading enterprise web application security, while Acunetix is designed for small and medium-sized companies. Invicti is backed by Turn/River Capital, and is headquartered in Austin, Texas, with offices in London, Malta, and Istanbul.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.