The majority of vulnerabilities in 2018 were associated with network vulnerabilities, while less than 20% were associated with web applications and APIs, according to the fourth annual Vulnerability Stats Report from Edgescan.
When it comes to breaches, though, web application security remains the area of greatest risk. “The percentage of high and critical risks combined, compared to all discovered risks is still high at 19.2% for public internet-facing (external) applications and 24.9% for non-public or internal applications,” the report said.
The report looked at vulnerability metrics from known common vulnerabilities and exposures (CVEs) and found that the rate of known vulnerabilities being exploited in the wild remains high, particularly with cross-site scripting (XSS). XSS, both reflected and stored, accounted for 14.69% of web (layer 7) vulnerabilities in 2018. One issue of great concern with layer 7 vulnerabilities is that “it takes time to fix vulnerabilities, and it can be difficult to avoid repeating the same mistakes,” said Eoin Keary, founder, Edgescan.
Another worrisome layer 7 vulnerability was in SQL injection, which represented nearly 6% of all web vulnerabilities. These database attacks have the potential to be devastating, because they can easily be used to exploit entire systems and the average time to fix a vulnerability discovered in the application layer is 77.5 days.
While 2018 saw many breaches, the study found that there is no sign of the level of global breaches slowing down in 2019. “The high-risk density score of 24.3% for internal-facing applications is worrisome given many studies cite the 'insider threat' as a significant issue,” the study said.
Insider threats posed risks to infrastructure security in 2018, with nearly half (44.7%) of the most common infrastructure vulnerabilities resulting from TLS and SLS versions and misconfiguration issues.
Among the top threats in public internet facing systems, “33.33% of all high and critical risk vulnerabilities discovered in 2018 were in relation to unsupported Windows Server 2003 systems (no patching, support, end-of-life systems). Systems running PHP and Apache also contributed to the Top 10 due to weak component security and traditional patch management of exposed systems,” the report said.