Biggest Web Security Vulnerabilities Haven’t Changed Much – And That’s Not a Good Thing update from May 2018

The OWASP Top 10 -- a list of the biggest vulnerabilities plaguing web applications -- hasn't changed much in the past 15 years.

Cross-site scripting, injections, broken access controls, broken authentication, insecure configuration, data exposure -- these have all been problems that the Open Web Application Security Project has been warning us about since 2004.

As web application become the norm for software delivery, continued presence of these basic problems is an embarrassment for developers.

Take injections, for example.

According to Veracode’s latest State of Software Security report, 28 percent of all applications have a SQL injection flaw when the application security company first scans them, said Chris Eng, its VP of research. And 48 percent have a CRLF injection flaw, while 40 percent have a cross-site scripting flaw, he said.

With the move to microservices and more recently serverless applications, the risks posed by these problems multiply. And attackers are taking full advantage.

"In the past year, we’ve seen that the threat landscape is only becoming more dangerous," said Eng.

It’s funny to see so many cross-site scripting vulnerabilities but sad at the same time, said Ilia Kolochenko, CEO at High-Tech Bridge SA, a cybersecurity company.

"XSS vulnerabilities are quite simple to prevent and detect. Nonetheless many web developers still carelessly push code riddled with XSSs into production," he said.

One new item on this year's list is insecure deserialization, which has to do with how applications pass data to other applications.

"More and more applications are interoperating and passing these types of objects back and forth, so it's certainly an issue now," said Ryan Spanier, director of research at Kudelski Security.

But the biggest new item, he said, and one with the biggest import for data centers, is insufficient logging and monitoring.

This vulnerability is at the bottom of the list, because it’s not highly visible.

"It's not easy for the attacker to detect that you have bad logging," said Spanier. "But the amount of logging and monitoring that you have on your servers is directly related to how well you can detect an attack and how fast you can initiate your response for that attack. If you have poor monitoring you're far less likely to detect an attack against your web services."

Logging and monitoring is also the aspect of web application security that data center managers have the most control over, he added. "It's not dependent on how someone coded the website."

As web application infrastructure gets more complex and more interconnected, monitoring matters more than ever.

It is "really critical for protecting your organization," Spanier said. "We've come to realize that we can't prevent every single attack. There are always going to be new ones, and logging and monitoring is going to be critical."