Study of Vulnerabilities in Popular Development Platforms Exposes Where Companies are Most at Risk Even if they Follow Best Coding Practices
SUNNYVALE, Calif. – March 16, 2020 – RiskSense®, Inc., pioneering risk-based vulnerability management and prioritization, today announced the results of the RiskSense Spotlight Report on vulnerabilities in leading Web and Application Frameworks, which if exploited can have devastating effects like the Equifax breach which affected 147 million people.
Among the report’s key findings, total framework vulnerabilities in 2019 went down but the weaponization rate went up, WordPress and Apache Struts had the most weaponized vulnerabilities, and input validation surpassed cross-site scripting (XSS) as the most weaponized weakness in the frameworks examined. This is the first report of its kind to analyze which frameworks have the most vulnerabilities, which are the most weaponized, the most common types of vulnerabilities and the threats they pose to an organization.
“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications,” said Srinivas Mukkamala, CEO of RiskSense. “As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”
Data for the RiskSense Web and Application Framework Vulnerabilities report was gathered from a variety of sources including RiskSense proprietary data, publicly available threat databases, as well as findings from RiskSense threat researchers and penetration testers. The study analyzed 1,622 vulnerabilities from 2010 through November of 2019.
Following are some of the key insights from the report:
WordPress and Struts are the Most Weaponized
These two frameworks alone accounted for 57% of the weaponized vulnerabilities, those for which exploit code exists to take advantage of the weakness, in the past 10 years. WordPress faced a wide variety of issues, but cross-site scripting (XSS) was the most common problem, while input validation was the biggest risk for the Apache Struts framework. Their respective underlying languages, PHP for WordPress and Java for Struts, were also the most weaponized languages in the study.
2019 Vulnerabilities are Down, But Weaponization is Up
While the overall number of framework vulnerabilities was down in 2019 compared to previous years, the weaponization rate jumped to 8.6% which is more than double the NVD (national vulnerability database) average of 3.9% for the same period. This uptick was primarily due to increased weaponization in Ruby on Rails, WordPress and Java.
Input Validation Replaces XSS as Top Weakness
While XSS issues were the most common vulnerability over the 10-year study period, it dropped to 5th when analyzed over the last 5 years. This is a sign that frameworks are making progress in this important area. Meanwhile, input validation has emerged as the top security risk for frameworks, accounting for 24% of all weaponized vulnerabilities over the past 5 years mostly affecting Apache Struts, WordPress, and Drupal.
Injection Weaknesses are Highly Weaponized
Vulnerabilities tied to SQL injection, code injections, and various command injections remained fairly rare, but had some of the highest weaponization rates, often over 50%. In fact, the top 3 weaknesses by weaponization rate were Command Injection (60% weaponized), OS Command Injection (50% weaponized), and Code Injection (39% weaponized). This often makes them some of the most sought after weaknesses by attackers.
Shedding Light on Hidden Threats
An organization’s web-facing applications represent fundamental digital assets that are essential to serving internal and external users. Their exposure to the outside world also means they are susceptible to constant attack. The overarching goal of this Spotlight Report is to provide visibility into threats that place an often overlooked layer of the IT infrastructure stack at risk, and raise awareness for the importance of addressing application framework vulnerability management to reduce an organization’s attack surface.
A full copy of the report is available here.