Web app security fixes down to 11 days in 2013

Suppliers of web apps improved the rate of delivery for security fixes in 2013, but still take 11 days on average

Suppliers of web applications took nearly two weeks on average to release critical security updates after being notified of a vulnerability in 2013, research has revealed.

But this is a 35% improvement on the year before, according to the latest Web Application Security Trends report by Swiss information security firm High-Tech Bridge.

The average time to patch critical risk vulnerabilities reduced from 17 days in 2012 to 11 days in 2013, while response times improved by 33% across all levels of risk to 18 days on average.

The report stated many of the suppliers notified of a vulnerability by High-Tech Bridge reacted within hours and released a security patch in a couple of days.

The vast majority of suppliers alerted their users to the vulnerabilities identified in a fair and rapid manner, but not all.

“Eleven days to patch critical vulnerabilities is still a fairly long delay,” said Ilia Kolochenko, chief executive officer of High-Tech Bridge.

“But, thankfully, even though serious vulnerabilities are becoming more complex to detect and exploit, there are vendors such as BigTree CMS who are responding to even complex vulnerabilities in less than three hours,” he said.

Security message finally sinking in

The latest report said general awareness among suppliers about the importance of application security is also growing, with many finally taking security seriously.

In the past, even well-known suppliers postponed security-related fixes in favour of releasing new versions of their software with new functionality and unpatched vulnerabilities, the report said.

More on Web application security

  • Web application firewalls may not fix Web application security issues
  • Insider edition: Web application security
  • Tackling Web application security through secure software development
  • Optimising performance and security of web-based software
  • W3af tutorial: How to use w3af for a Web application security scan
  • Using free Web application security scanning tools to secure Web apps
  • Web application testing: Three lessons
  • An introduction to Web application threat modeling

In 2013, however, no big supplier adopted this “dangerous approach” of prioritising functionality over security, the report said.

According to High-Tech Bridge, only three of the 62 security advisories released by the firm in 2013 remain unpatched.

The report said despite better coding practices making serious vulnerabilities in mature apps difficult to find, there were cases where this was undermined by basic mistakes.

Failure to delete installation scripts, for example, enables cyber criminals to compromise an entire application, the report said.

“This highlights the importance of independent security testing and auditing of web applications, as even professional developers may simply miss or forget to control vital security points,” said Kolochenko.

Many of the vulnerabilities previously rated as high or critical risk were downgraded to medium risk in advisories in 2013 because their exploitation required the attacker to be authenticated or logged in.

“This confirms that web developers should also pay attention to security for parts of the application accessible only to “trusted” parties, who may in fact be quite hostile,” said Kolochenko.

In-house apps, XXS and SQLi most vulnerable 

Combining its security research with statistics from its web application security testing software and penetration testing, High-Tech bridge found in-house applications to be the most vulnerable.

In-house applications made up 40% of the most vulnerable apps, followed by plug-ins and modules for content management systems (30%), small content management systems (25%) and large content management systems like WordPress (5%).

Cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities are still the most common weaknesses, making up 55% and 20% of all vulnerabilities found in 2013 respectively.

However, 90% of large and medium-sized content management systems are vulnerable to XSS and SQL because they are not up to date or are incorrectly configured, said Marsel Nizamutdinov, chief research officer at High-Tech Bridge.

“However, we have made great progress in terms of positive impact our research brings to the industry, with tens of thousands of popular websites no longer at risk of compromise thanks to our efforts and collaboration with software suppliers,” he said.

Read more on Web application security