A recent cybersecurity study has brought to light a concerning vulnerability crisis affecting web applications.
CyCognito’s semi-annual State of External Exposure Management report unveiled a distressing landscape of digital threats across public cloud, mobile and web platforms. The comprehensive analysis of 3.5 million assets, encompassing Fortune 500 entities, highlights the precarious state of data security.
The study highlights a substantial 74% of assets housing personal identifiable information (PII) as susceptible to well-known significant exploits. The report further discloses that one in every ten of these assets contains easily exploitable weaknesses, raising red flags about data privacy and safeguarding.
“The statistics mentioned underscore a clear point: PII remains highly vulnerable. If 74% of assets with PII are exposed to at least one known major exploit and 10% have an easily exploitable issue, it paints a concerning picture of the current state of external exposure management,” commented Callie Guenther, cyber-threat research senior manager at Critical Start.
“It’s essential to note that these vulnerabilities exist in the context of known exploits, suggesting that there are recognized solutions or patches that haven’t been applied.”
Read more on PII security: Unauthenticated IDOR in WooCommerce Stripe Plugin
Additionally, the research underscores the critical vulnerabilities inherent in web applications. 70% of these applications exhibit severe security gaps, omitting crucial Web Application Firewall (WAF) protection and essential encryption like HTTPS. An alarming 25% of web applications lack both protective measures simultaneously.
The report illuminates the scale of the issue, revealing that the average global enterprise manages over 12,000 web applications, including APIs, SaaS applications, servers and databases. Of these, over 3000, or 30%, are susceptible to exploitable or high-risk vulnerabilities. Worryingly, half of these vulnerable web applications are hosted in cloud environments.
“We strongly recommend all organizations take a new approach to remediation efficiency by focusing on the remediation of exposures that lie on choke points, as they provide attackers with a fast track to causing significant harm to the organization,” said Zur Ulianitzky, vice president of research at XM Cyber.
“By identifying and ignoring dead ends to reduce workload, organizations can free up resources to focus on choke points for remediation.”
The research also raises concerns about GDPR compliance, indicating that 98% of web applications lack sufficient transparency for users to opt out of cookies.
Security experts recommend a multi-pronged approach to safeguard against the alarming vulnerability crisis in web applications. This includes conducting regular vulnerability scans and prompt patching, implementing multi-factor authentication (MFA) for enhanced access control and ensuring robust encryption for both data in transit and at rest. Adhering to the least privilege principle and continuous staff training on data protection and threat recognition further help mitigate risks.
An effective incident response plan, network segmentation and external assessments through penetration testing provide vital layers of defense. Regular data backups serve as a critical resource for recovery in the face of potential data-compromising incidents.