Priorities Vulnerability Management with The Contrast Labs Application Security Intelligence Report for May–June 2020

The Contrast Labs Application Security Intelligence Report for May–June 2020 leverages aggregate data from Contrast Security customers to provide insights about the vulnerabilities in software that we protect—and attacks on those applications. Findings of note include:

• One in three applications has at least one serious vulnerability—27% higher than the annual average.
• A larger percentage of Java applications have serious vulnerabilities compared with other languages, owing to the increased flexibility of that platform.
• While the volume of attacks subsided, the percentage of applications impacted by SQL injection, broken access control, and command injection attacks spiked.
• The increase in the percentage of applications targeted by specific attacks was especially pronounced for .NET applications, with five attack categories seeing double-digit increases in the percentage of applications impacted.

These findings accentuate the continuing struggle to deliver secure applications for developers, security, and operations professionals. These problems have been magnified in recent months by the COVID-19 pandemic—which has forced most developers to work remotely while facing increasingly aggressive deadlines as businesses scramble to adapt to a marketplace that has been turned upside down. In this environment, a comprehensive approach to application security (AppSec) is more important than ever—one that builds testing and protection into every step of the software development life cycle (SDLC).

Key Findings:

• 33% of applications had a serious vulnerability in May–June 2020—27% higher than the annual average
• Applications with expression language injection vulnerabilities have a median of 5 instances per application
• 81% of applications saw a SQL injection attack—47% MORE than the prior two-month period
• 5 attack categories saw a DOUBLE-DIGIT INCREASE in the percentage of applications impacted compared to the prior two-month period
• Only 3 ATTACK CATEGORIES saw a decrease

Table of contents

Evolving Threats in 2020
Vulnerability Trends
Trend: Too many applications continue to have serious vulnerabilities
Trend: More Java applications have serious vulnerabilities
Trend: Vulnerable applications tend to have multiple vulnerabilities
Attack Trends
Trend: SQL injections attacks trended sharply upward, becoming the most common attack type
Trend: Specific attacks impacted many more .NET applications
Application Security Watch List
Conclusion

Evolving Threats in 2020

Contrast Labs’ bimonthly Application Security Intelligence Reports provide an update on the status of AppSec as observed by vulnerabilities identified by telemetry directly measured from customers’ applications running in development, test, and production environments. The dataset includes vulnerabilities identified by Contrast Assess and attacks detected by Contrast Protect.

Every two months, Contrast Labs analyzes this data to determine which types of vulnerabilities and attacks are most prevalent in protected applications. The report also identifies actionable insights that can aid development, security, and operations teams as they refine their application security strategy. While the fluctuations over two months are sometimes small, publishing the reports regularly helps readers to identify trends on an ongoing basis.

COVID-19 continues to threaten public health and the economy, especially in the United States. At the same time, agitation for social change has made the headlines every day for more than two months. During the chaos, successful companies are adjusting their business models to emphasize digital engagement, and the underlying digital transformations are continuing on schedule—or, in many cases, accelerating.

At the same time, cybercriminals are adjusting their tactics to take advantage of the situation. For example, Google is blocking more than 18 million coronavirus-related scam emails daily. Tactics used in attacks on web applications are evolving as well, with more sophisticated account takeover (ATO) attacks, more widely distributed botnets, and more. In other instances, federal indictments were issued against suspected Chinese hackers targeting companies doing COVID-19 research and a New York City man for stealing payment card information for thousands of accounts.

Responding to this changing landscape is complicated by the accelerating volume of new vulnerabilities discovered. Microsoft has averaged 90 Common Vulnerabilities and Exposures (CVE) fixes per month in recent months, and several high-profile critical vulnerabilities have been identified in open-source Java libraries recently. Overall, 2,460 vulnerabilities were added to the CVE database in May and June, more than 11 times the prior year total of 297.

One vulnerability in SAP NetWeaver could enable unauthenticated attackers to take over applications using HTTP, and a dozen critical and high-severity vulnerabilities found in OpenClinic GA could expose critical healthcare infrastructure to attacks. This makes it even more important to prioritize vulnerabilities according to risk, as only 0.6% of CVEs are ever exploited in the wild.

Vulnerability Trends

For May-June 2020, Contrast Labs identified several application vulnerability trends from analysis of its aggregate data:

Trend: Too many applications continue to have serious vulnerabilities

Similar to previous months, nearly every application (98%) had at least one vulnerability in May and June (Figure 1). That number is actually up slightly from the prior two-month period, which saw 97% of applications impacted. It is even higher than the 96% reported in Contrast’s annual 2020 Application Security Observability Report, which covered the 12 months ending May 31, 2020. While a 1% or 2% increase seems relatively small in this case, full percentage-point changes at volumes can be fairly dramatic.

But the larger concern is that one in three applications has at least one serious vulnerability—that is, defined by Contrast as posing either high or critical risk. This number fluctuates more than the total number of vulnerabilities; it is down from the 36% noted in March and April but much higher than the 26% identified in the annual report. It seems that this metric increased when developers started working from home in March—an environment that may increase the likelihood of serious vulnerabilities being introduced. While the number settled a bit during May and June—perhaps because coders became more accustomed to working from home—it is still up by 27% over the annual percentage.

Cross-site scripting (XSS) and broken access control continue to be the most common serious vulnerability categories, impacting 18% and 17% of applications, respectively (Figure 2)—down slightly from 20% and 19% in March and April. XSS vulnerabilities have now been present in 20% or less of applications for five straight months after being above 20% in January 2020 and throughout much of 2019. This is because current coding practices use application programming interfaces (APIs) and JavaScript in the browser instead of generating HTML on the server-side. In other words, technology may be moving beyond this long-prominent vulnerability. Also, languages and frameworks used by developers are doing more to protect against XSS vulnerabilities by default.

Trend: More Java applications have serious vulnerabilities

While Python seems poised to displace it, Java has been the world’s most commonly used programming language for many years, thanks largely to its portability, flexibility, and scalability. But these same qualities that make it so attractive for businesses—especially large enterprises—also make it more susceptible to vulnerabilities. In May and June, 39% of Java applications contained serious vulnerabilities—compared with only 26% of .NET applications (Figure 3). Nearly one-quarter of Java applications (24%) have a broken access control vulnerability, and 23% have an XSS vulnerability—unchanged from March and April (Figure 4).

In contrast to the open world of Java development, Microsoft exercises stricter control over the .NET language, with fewer integrated development environments (IDEs), fewer open-source libraries and frameworks, and more standardization across the board. XSS and injection are the only two vulnerability categories to impact more than 10% of .NET applications.

These differences should be noted, not to disparage the use of Java but rather to aid development teams in delivering secure Java applications. Writing secure code is very possible with a variety of languages if developers learn to do so by learning from feedback gleaned from continuous testing. With discipline and a commitment to write secure code, Java’s higher propensity to vulnerabilities should not be a factor in whether to choose it or another language.

Trend: Vulnerable applications tend to have multiple vulnerabilities

Another continuing trend is that a small subset of applications contains a large number of serious vulnerabilities. The mean number of serious vulnerabilities within vulnerable applications held steady at 55 in May and June. But when the numbers are broken down, only 5% of applications have 50 or more serious vulnerabilities (Figure 5). This handful of applications inflates the mean number, of course, and the median number of serious vulnerabilities per vulnerable application is only four.

Both numbers would be worse for these applications if they were protected by legacy AppSec tools. Line-by-line scanning using static application security testing (SAST), for example, can create significant alert fatigue in an application with many legitimate vulnerabilities—and the large number of false positives for which SAST solutions are notorious. A report by one SAST vendor showed an average of 175 identified vulnerabilities per application, many of which are likely false positives.

When looking at vulnerability counts by category, applications having expression language injection vulnerabilities have the most instances of that vulnerability—a median of five. XSS has a median of four, and broken access control, SQL injection, and XML external entity (XXE) injection had medians of two each (Figure 6).

It makes sense in certain instances that multiple occurrences of the same vulnerability would be present in a particular application. For instance, if a developer misses validating a piece of data once, they could miss it in multiple places.

Attack Trends

Data from Contrast Protect during May and June revealed several trends regarding attacks:

Trend: SQL injections attacks trended sharply upward, becoming the most common attack type

The overall volume of attack attempts was down, with the average application experiencing just over 9,000 attacks per month—significantly lower than the nearly 13,500 in March and April. This may reflect more precise targeting on the part of cybercriminals. The percentage of attacks that hit an exploitable vulnerability—that is, targeted a vulnerability that existed in an application—held steady at 3%.

While the overall volume of attacks was down somewhat, the number of applications that saw SQL injection attacks were up sharply (Figure 7). This could be related to an influx in new applications being onboarded or a targeted concentration of attacks on SQL from bad actors. More than four in five applications (81%) saw an attack of this type in May and June, up from 55% in the prior two-month period—a 47% increase (Figure 8). This was enough to move SQL injection into first place as the most common attack type, while XSS moved from first to third on the list despite impacting 66% of applications—up from 63% in March–April.

While only 7% of applications had SQL injection vulnerabilities during May and June, the spike in this attack type is worrying because it may indicate that attackers are finding some success with the approach. Media reports have highlighted SQL injection vulnerabilities in applications in critical fields like remote learning and operational technology. As businesses scrambled to accommodate remote employees and more digital engagement with customers during the COVID-19 pandemic, they may have deployed more of this vulnerability type into production.

The same data shows that two other vulnerability categories surged in May and June as compared with March and April. Broken access control spiked from 48% to 72% of applications, moving this category into second place in the list of most common attacks. Command injection increased from 46% to 63% of applications. Again, cybercriminals may be deploying more of these attacks in hopes of a successful infiltration at a time when development activity is spiking. Some broken access control attacks are easy to automate and deploy to multiple applications, making them a low-cost attack with medium to the high potential return.

Of course, organizations can avoid problems associated with these attacks by making it a priority to deploy secure code into production—something that is possible with an instrumentation-based approach to application security. Such solutions provide continuous vulnerability data to the developers as they write code while protecting an application in production from within the software.

Trend: Specific attacks impacted many more .NET applications

As noted above, the total volume of attacks was down in May and June compared with earlier months, but a larger percentage of applications were impacted by several specific attack types. Both trends were especially true with .NET applications. For applications in that language, five vulnerability categories—broken access control, SQL injection, XSS, command injection, and expression language injection—saw double-digit increases in the percentage of applications impacted (Figure 9). Three of these five saw increases of between 25 and 40 percentage points.

This bimonthly period saw an interesting combination of fewer attacks per application per month with increases in the percentage of applications on the receiving end of many attack types. This difference was especially pronounced with .NET applications, which only saw declines in one attack type. This suggests that adversaries are targeting a broader array of applications, which are also seeing a greater number of vulnerabilities targeted. This might be due to attackers trying to exploit all of the additional code that is being deployed faster due to more aggressive business release cycles during COVID-19.

Application Security Watch List

When development and security professionals look at vulnerability and attack data such as what is presented in this report, their most important consideration is how much risk each vulnerability poses to their organizations. Contrast Labs performs continuous analysis of these two datasets to compile an Application Security Watch List for each bi-monthly period. The ranking is according to something we call a “risk factor”—the comparison of the likelihood that a vulnerability type will occur and the likelihood that that specific vulnerability will be attacked. The Watch List for May and June of 2020 is as follows:

Given the 47% spike in the percentage of applications targeted by SQL injection attacks, it is not surprising that this vulnerability moved to the top of the Watch List for May and June (Figure 11). Its vulnerability prevalence is up by 15% in that period compared with the annual average for the 12 months ending on May 31. SQL injection attacks were especially impactful in May when 85% of applications experienced them.

Indeed, SQL injection attacks can yield useful information when they are successful, including login credentials, transaction files, and database information. For example, in late May, a New York City resident was charged with using SQL injection to hack into e-commerce sites, steal payment card information, and sell it on the dark web.

Several familiar vulnerability types follow behind SQL injection, including broken access control, command injection, XSS, and expression language injection. Indeed, the top five entries on the Watch List are unchanged from March and April, and these vulnerabilities remain common targets for adversaries.

Insecure configuration moved up one spot to number six on the Watch List, driven by a 79% increase in vulnerability prevalence compared with the annual average. And further, down the list, NoSQL injection moved up two spots from its customary 12th position on the list. As organizations deal with increasingly large sets of distributed data, NoSQL databases are more attractive to make sense of it. As a result, NoSQL injection vulnerabilities may be targeted with more attacks going forward.

Conclusion

This bi-monthly report finds that software vulnerabilities and attacks continue unabated in a rapidly changing technology world. Given the rapid clip at which businesses have developed applications over the past two months—often to survive in a rapidly changing economy—the fact that vulnerabilities have not dramatically increased could be counted as good news.

Conversely, the decline in the volume of attacks compared with the prior two-month period might appear at first glance to be a positive development. Unfortunately, the notion that cybercriminals are simply targeting their attacks more precisely is likely closer to the truth. The dramatic increase in applications impacted by specific attack types may indicate some level of the strategy behind the attacks.

In a fast-changing world, it is more important than ever to ensure that applications are delivered into production without serious vulnerabilities. To achieve this, organizations need to “shift left” with their AppSec processes—finding vulnerabilities earlier in the development process. At the same time, organizations must “shift right” by building self-protection into applications in production. Security instrumentation enables continuous security testing built into the application itself, providing real-time feedback to developers and enabling remediation on the fly.

Source: Contrast Security