New Invicti Research: Vulnerabilities on the Rise; Public Sector Particularly at Risk

Data from 23.6B security checks underscores need for comprehensive application security approach, with 1/3 of Government and Education organizations still at risk of SQL injection in 2021

AUSTIN, TX – April 5, 2022 – Invicti Security™ today released its Spring 2022 AppSec Indicator, which reveals a rise in severe web vulnerabilities and the need for executive leaders to intertwine their application security and digital transformation efforts to reduce risk. The report examines web vulnerabilities from over 939 Invicti customers worldwide and was derived from the largest data set yet, with more than 23 billion security checks executed on customer applications uncovering over 282,000 direct-impact vulnerabilities.

The data shows that numerous commonplace and well-understood vulnerabilities continue to proliferate in web applications, and the continued presence of these vulnerabilities presents a serious risk to organizations in every industry. Among the findings:

• Remote code execution (RCE), cross-site scripting (XSS), and SQL injection (SQLi) are all top offenders, each increasing in frequency or hovering around the same alarming numbers year over year. These vulnerabilities can lead to consequences such as compromised back-end data, hijacked sessions, or forced actions on behalf of other users and services. 
• Remote code execution, always the ultimate goal of malicious attackers but now especially prominent due to last year’s Log4Shell vulnerability, has seen a steady increase since 2018, jumping 5% in frequency. 
• After a slight improvement in 2020, cross-site scripting (XSS) backslid in 2021, with its incidence rising 6% year over year.
• Two industry sectors saw above-average SQL injections. 35% percent of educational institutions and 32% percent of government organizations experienced at least one occurrence of SQLi, reflecting that legacy code still in production in these industries needs modernization, and knowledge gaps for developers should be addressed.

Direct-impact vulnerabilities simply aren’t reducing in frequency, but there are foundational elements to every AppSec program that can improve security posture. For many organizations without adequate security measures, the persistence of vulnerabilities can be attributed to failures in secure design, a lack of comprehensive scanning, and the prevailing talent gap in cybersecurity. While these stressors increase risk, organizations that adopt a proactive and comprehensive approach to application security, prioritizing secure design, baking security into the very architecture of applications, and scanning their entire application footprint, will reduce risk significantly.

“Once again, we’ve seen that even well-known vulnerabilities are still prevalent in web applications,” said Invicti president and COO Mark Ralls. “It’s time for organizations to gain command of their security posture. The only way to do that is to ensure that security is in the DNA of an organization’s culture, processes, and tooling so that innovation and security go hand-in-hand.”

You can read the full report here and register for the upcoming webinar with Mark Ralls on April 7 at 10 AM CT, which will explore the report’s findings and discuss real-world approaches to regain control.

About Invicti Security

Invicti Security is transforming the way web applications are secured. An AppSec leader for more than 15 years, Invicti enables organizations in every industry to continuously scan and secure all of their web applications and APIs at the speed of innovation. Invicti provides a comprehensive view of an organization’s entire web application portfolio, and powerful automation and integrations enable customers to achieve broad coverage of even thousands of applications. Invicti is headquartered in Austin, Texas, and serves more than 3,500 organizations of all sizes all over the world. For more information, visit our website or follow us on LinkedIn.

This press release was originally published on PR Newswire.