The spring 2022 edition of the Invicti AppSec Indicator has arrived hot off the presses, and it underscores some alarming trends for severe web vulnerabilities. The data shows that direct-impact flaws are still showing up in customer scan results at alarming rates. Worse still, these are often just the tip of the iceberg and can open doors to even more severe security threats if exploited. Our biggest takeaway: things simply aren’t improving, so top-down initiatives from leadership that balance security and innovation are more important than ever. Get the full Invicti report here
For this edition of the report, we dug deeper than ever before into the state of web application security to see which patterns for common vulnerabilities are showing up year over year. We studied aggregated usage data from over 900 global Invicti customers, which included 23,630,985,830 security checks that found and demonstrated potential vulnerabilities. The data shows us that risk-laden flaws like cross-site scripting (XSS) and remote code execution (RCE) are increasing in frequency, most likely due to teams that are too strapped for time without the right tools and processes in place.
Direct-impact flaws with real consequences remain a prevailing problem
Some of the repeat offenders we’re seeing can lead to pretty serious consequences, like multi-stage events where bad actors use common weaknesses to gain deeper access to an application. That ultimately allows them to execute additional and often more serious attacks that can lead to control of back-end servers or even compromise internal systems.
Fortunately, these risky vulnerabilities can’t hide from Invicti scanning tools – and they’re preventable. But because we know from the fall 2021 edition of our AppSec Indicator that 1 in 3 security issues under remediation make it into production unnoticed, there’s clearly a disconnect in the security process for many organizations.
SQL injection (SQLi), for example, has been hovering around the same frequency since 2019. While it’s technically easy to prevent with modern web languages and frameworks, we’re still seeing it in worrisome numbers, which indicates a need for deeper developer education and enablement. We’ve also noticed early indications that government and education sectors are having a hard time combatting SQLi, signaling that legacy code needs modernizing, and skill gaps in development may be holding teams back from threat reduction.
Looking ahead to modernized tooling and effective security processes
Even though these trends are alarming, there is light on the horizon for organizations struggling to balance speed, security, and innovation. It starts with having a dependable application security tool built with automation as a foundational element to critical scanning features and accuracy as a non-negotiable value point.
These automated testing tools take away the need for manual work and security guessing games, which means developers can build sophisticated, innovative applications without compromising on security – or release schedules.
Get the full Invicti report for more information about the trends we’re seeing for direct-impact vulnerabilities and to learn more about the best practices that can help you build more secure applications from the ground up.