Web applications are susceptible to vulnerabilities
Access control vulnerabilities and the risk of data disclosure are the most widespread security flaws in internally developed web applications. This is shown by a recent analysis by Kaspersky in the period 2021 to 2023.
For the analysis, Kaspersky examined vulnerabilities in web applications developed in-house by companies from the IT, government, insurance, telecommunications, cryptocurrency, e-commerce and healthcare sectors.
The majority (70 percent) of the vulnerabilities found relate to data protection with regard to confidential information such as passwords, credit card data, health records, personal data and confidential business information or access control. The latter allows cyber criminals to bypass website policies and, for example, change or delete data.
In the majority of the applications examined, the experts found a total of several dozen vulnerabilities relating to access control and data protection; many of the highest risk levels were associated with SQL injections. Some of the vulnerabilities analyzed even posed a high risk. For example, 88 percent of all SQL injection vulnerabilities analyzed were high-risk; furthermore, 78 percent were classified as high-risk in the area of weak passwords.
In addition, 22 percent of all web applications examined by Kaspersky had weak passwords. One possible reason for this is that the apps included in the sample may have been test versions and not actual live systems.
Oxana Andreeva, security expert in the Kaspersky Security Assessment team, comments: "The research was carried out taking into account the most common vulnerabilities in web applications developed in-house by companies and their level of risk. Attackers could use them to steal user authentication data or execute malicious code on the server. Each vulnerability has a different impact on business continuity and resilience. Companies should therefore pay attention to security when developing web applications and constantly review them."
Kaspersky recommendations for protecting in-house developed web applications
- Implement a Secure Software Development Lifecycle (SSDLC).
- Carry out regular assessments of application safety and take appropriate measures.
- Monitor the operation of the applications.
Source: www.kaspersky.de