Software development remains insecure

Instances of common web-based vulnerabilities have remained consistent for the past nine years, analysis by researchers at cyber security and risk mitigation firm NCC Group has revealed.  

In particular, the number of cross-site scripting (XSS) vulnerabilities has remained largely stable, accounting for 18% of all vulnerabilities found.

This is consistent with reports by white hat hacking community platform HackerOne that XSS is the most commonly exploited vulnerability across all vulnerability hunting deployments.

This is despite XSS being listed in the Owasp top 10 security problems for a number of years and the availability of guidance on how to avoid it.

XSS flaws are often overlooked even though they can enable attackers to inject malicious scripts into websites or victims’ browsers. 

Matt Lewis, research director at NCC Group, said while other common vulnerabilities have disappeared in the past decade, XSS flaws continue to be prevalent after almost 20 years.

“We should have seen a significant fall in these types of vulnerabilities, but this hasn’t been the case, which highlights the need for better education around security in the software development life cycle,” he said.

Overall, the team uncovered 1,108 vulnerabilities in 53 different categories across technologies used by 354 suppliers, and found that there was an increase in the number of bugs targeting complex applications and hardware.

This included deserialisation flaws – when untrusted data is used to abuse the logic of an application and inflict distributed denial of service (DDoS) or remote code attacks – and the exploitation of multiple low-risk issues in a chain across a complex web application, resulting in full, unauthorised control.

Researchers also saw an increase in hardware-related design flaws, following an increased engagement with embedded systems and internet-connected devices making up the internet of things (IoT).

“Although there could be a lot of factors influencing the discovery of bugs over the past nine years – such as shifts in industry focus with regard to certain classes of bugs, and even the time that our consultants have available – there is still an ongoing prevalence of the most common vulnerabilities,” said Lewis.

“As well as this, we’re already seeing an increasing variety of relatively new attack methods as applications and systems become more complex,” he said.

According to Lewis, this highlights the need for more investment into security skills and “a wider understanding of how important the mitigation of these vulnerabilities is for the overall security of businesses”.

A recently published study by security firm Rapid 7 shows that only 16% of companies investigated are clear of software vulnerabilities that external cyber attackers could use to gain access to their IT systems.

The study was aimed at discovering the most common weaknesses in modern enterprises to identify the most prevalent cyber threats to inform cyber defence strategies.

Further underlining the threat of software vulnerabilities, a study by Digital Shadows and Onapsis shows that cyber attackers are exploiting enterprise resource planning (ERP) applications and expanding their operations to target high-value assets.

The report shows a dramatic rise in cyber attacks on widely used ERP applications such as SAP and Oracle, which currently have a combined total of 9,000 known security vulnerabilities, and highlights an increase in attacks on these systems by nation-state actors, cyber criminals and hacktivists.