According to F5, web application security is the biggest cyber threat, also exploited by state-affiliated actors
F5 Labs released a report revealing that web application security issues made up the majority of cyber threats over the past five years. The report also found that web application issues took almost four times longer to be discovered compared to other extreme events.
Researchers analyzed the IRIS 20/20 Xtreme report examining the 100 largest cyber losses in 5 years amounting to $18 billion and 10 billion compromised records, as well as the data breach investigation report (DBIR) from Verizon. The researchers analyzed both reports using MITER’s ATT&CK framework.
Web application security issues drive most data breaches
The F5 Labs report found that web application attacks were the top incident pattern among data breaches for 6 out of the last 8 years.
Additionally, more than half (56%) of all top software security incidents experienced in the past 5 years stemmed from a web application security issue.
Using the ATT&CK framework, they discovered that the 2 main initial access methods relied on exploiting public-facing web applications. Additionally, 12% of hackers exploit publicly available web applications, while 42% exploit valid user accounts on web applications to compromise targeted organizations.
Unsurprisingly, 57% of all losses from the largest web application security incidents came from state-affiliated threat actors. And nearly one in five major web application security incidents have been attributed to state-affiliated attackers, with losses amounting to $4.3 billion.
The report also found that web application security exploits took 254 days to be detected, compared to 71 days for other extreme loss events.
Cross-site scripting and SQL injection attacks rank highest
The F5 Labs report noted that there was no consensus among experts on the most common type of web vulnerabilities. However, using a ranking mechanism showed that the SQL injection (SQLi) and cross-site scripting (XSS) vulnerabilities were rated highest.
Various sources reported that the prevalence of SQLi attacks ranged between 15% and 76%, while XSS attacks ranged between 4% and 54%. Additionally, each report analyzed showed higher attack rates for each recent year.
Other common vulnerabilities include broken authentication, exposure of sensitive data, misconfigured security, and broken access control.
Insecure deserialization and XML external entities (XXE), which could lead to malicious code injection and remote code execution (RCE) attacks, are rated moderate. Other vulnerabilities such as using components with known vulnerabilities and insufficient logging and monitoring were poorly reported, thus scoring lower on the scale of F5.
Some web application vulnerabilities were missing from some reports because not all sources report according to OWASP categories, the researchers explained. Additionally, F5 adopted a ranking mechanism instead of reporting percentages, unlike sources that measured different types of applications, for example, web applications against open source software libraries.
“Attempts to analyze and compare the prevalence of various types of attacks and vulnerabilities across multiple sources suffer from a Tower of Babel effect.”
Web application security remains a challenge
The researchers said attempts to improve web application security have so far failed despite attempts to adopt various open standards.
“Clearly some have tried to do this by adopting standard vulnerability frameworks like the Open Web Application Security Project (OWASP) Top 10, but that often doesn’t translate well to the attack side.”
With almost anyone able to develop web applications without coding knowledge and using platforms plagued by vulnerabilities, web application security will remain a major challenge.