Vulnerability management and cybersecurity testing company Cobalt delved into the most common vulnerability types organizations face. The company found organizations are still battling the same five most common vulnerabilities from four years ago. What’s more is that two of these five vulnerabilities have been prevalent since 2003! Cobalt attempts to answer the question: “why?â€
Zero-day security vulnerabilities are one of the major reasons why organizations are innovating their approach to software development. Teams now perform extensive code reviews, threat modeling, fuzzing, and have even shifted left to make sure applications are rock solid when it comes to security. Yet, non-zero-day vulnerabilities, i.e., the ones that are already known are proving to be a bigger ordeal than they should be to developers and security teams.
Penetration-testing-as-a-service (PTaaSOpens a new window ) vendor Cobalt.ioOpens a new window examined some of the reasons why known bugs are a challenge to overcome. The company theorized in The State Of Pentesting 2021 report that the issue lies in the inability to prevent vulnerabilities from taking shape earlier in the software development lifecycle (SDLC).
Cobalt found that organizations have been unsuccessfully dealing with the same five vulnerability types they faced since 2018. So for four years, none of these top five vulnerability types have been dislodged from their positions, which is a cause for deep concern. Sure they have exchanged places with each other but have consistently been featured in the top five.
Top Five Most Common Vulnerabilities
     One of the most common issues across the industry. Some causes include, according to OWASP, are insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information
     The inclusion of untrusted and poorly validated data in a new web page. Can also arise when a web page is updated with data provided through browser API that can create HTML or JavaScript. XSS bugs “allow attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.â€
     Could lead to unauthorized access of application functionality, sensitive data, user accounts, and modify access rights, etc.Â
     Lack of special protection to sensitive data including financial, healthcare, and personally identifiable information (PII) through improperly protected web applications and APIs, or web browsers.
     Weak authentication and session management protocols often lead to password, key, or session token compromise. An attacker can also take up the identity of a user from the system, either temporarily or permanently, for malicious use.
All of these flaws also feature in the Open Web Application Security Project or OWASP top 10 vulnerabilities. Two of these flaws — cross-site scripting and broken access control — have been prevalent for as long as 18 years since they first appeared in 2003.
Let us have a look at the top asset- and industry-specific vulnerabilities.
See Also: Crypto Mining Has Roused Cybercriminal Interest in Breaking Linux: Trend Micro Report
Top Vulnerabilities Residing in Assets
|
Asset |
Vulnerabilities | ||
| #1 | #2 |
#3 |
|
| Web | Cross-Site Scripting (XSS): Stored | Broken Access Control: Insecure Direct Object References (IDOR) | Cross-Site Scripting (XSS): Reflected |
| Application Program Interface (API) | Cross-Site Scripting (XSS): Stored | Server Security Misconfiguration: Lack of Security Headers | Server Security Misconfiguration: Insecure Cipher Suite |
| Mobile | Lack of Binary Hardening: Lack of Jailbreak Detection | Broken Access Control: IDOR | Mobile Security Misconfiguration: Absent SSL Certificate Pinning |
| Internal Network | Components With Known Vulnerabilities: Outdated Software Version | Server-Side Injection: Remote Code Execution | Server Security Misconfiguration: Using Default Credentials |
| External Network | Components With Known Vulnerabilities: Outdated Software Version | Server Security Misconfiguration: Insecure SSL | Server Security Misconfiguration: Insecure Cipher Suite |
Top Industry-Specific Vulnerabilities
Vulnerabilities could prove to be detrimental for some industries, more so than others. Especially those that handle troves of sensitive financial, healthcare data.
| Asset | Vulnerabilities | ||
| #1 | #2 | #3 | |
| SaaS | Cross-Site Scripting:
Stored |
Broken Access Control: Insecure Direct Object References (IDOR) | Cross-Site Scripting: Reflected |
| Healthcare | Cross-Site Scripting: Stored | Broken Access Control: IDOR | Components with Known Vulnerabilities: Outdated Software |
| Fintech | Broken Access Control: IDOR | Cross-Site Scripting: Stored | Components With Known Vulnerabilities: Outdated Software |
| Insurance | Cross-Site Scripting: Reflected | Cross-Site Scripting: Stored | Components With Known Vulnerabilities: Outdated Software |
| E-Learning | Broken Access Control: IDOR | Cross-Site Scripting: Reflected | Cross-Site Scripting: Stored |
What’s Taking So Long for Remediation?
It is clear that eliminating issues that have been plaguing organizations isn’t as easy as detecting them. The problem is that all of these top vulnerabilities are well-known.
And to make sure these known bugs do not re-emerge, developers and security teams follow established secure development principles. 96% of respondents of Cobalt’s survey agreed they do code reviews, threat modelling, etc before pushing code to production.
% of Respondents who Follow Secure Development Principles in the SDLC | Source: CobaltOpens a new window
“The fact stands that vulnerabilities slip past these checks, as evidenced by our own data,†Cobalt said. “It takes multiple approaches to secure one’s environment. Pentesting isn’t the panacea of application security, but it can validate all the other pieces of a security program and help inform what areas need to be improved.â€
Which is where penetration testing comes in. Unfortunately, 63% of the overall application portfolio is pentested. This is despite 78% agreeing that pentesting is a high-priority. The reason?
- Difficulty in finding, hiring resources with the right skill-sets for pentesting (86%)
- Pentesting is expensive (58%). 42% of respondents even said their company does not have the budget for pentesting
- 61% said that pentesting is difficult to scope
- Pentesting is too slow to schedule according to more than half of respondents, taking up weeks to months for 77% of teams
Organizations also prioritize patching of different low, medium, high, and critical risk vulnerabilities. Obviously it is hard to determine how this is done but from what respondents have to say, critical or high risk bugs are taken care of fairly early. Medium and low risk bugs, on the other hand, are left unpatched for longer.
This is confirmed from the lower percentage of high risk vulnerabilities impacting different industries given below.
| Industry | Avg # of Findings per Asset | High Risk | Medium Risk | Low Risk |
| SaaS | 6.5 | 11% | 31% | 58% |
| Healthcare | 5.4 | 14% | 27% | 59% |
| Fintech | 4.9 | 7% | 24% | 69% |
| Insurance | 6.2 | 16% | 24% | 60% |
| E-Learning | 8.4 | 17% | 38% | 45% |
Smaller, lower risk bugs certainly can have serious consequences. Cobalt explained how the 2017 Equifax breach was caused by a known bug whose patch was available. The Equifax breach:
- Exposed the personal information of 148 million Americans, 15.2 million Britons, and 19,000 Canadians
- Resulted in a $700 million settlement with the Federal Trade Commission
- Led to stepping down of the then CEO Richard Smith
- Costed $1.4 billion in total to remediate the consequences of
See Also: Latest PhishLabs Study: Phishing Attacks Against Cryptocurrency Up 10x in H1 2021
“This was not a crazy technical problem that lacked a solution. The technical solution was available; this was a lack of people and process innovation,†chief strategy officer at Cobalt Caroline WongOpens a new window said.
It is highly improbable that every lower risk bug may cause an incident as big as the Equifax one. But there certainly is a possibility of a bunch of them snowballing into a serious breach.
Additionally, the security and engineering teams may not be aligned at the level that is required for an unwavering and uncompromising DevSecOps environment. 20% of respondents said they are either poorly aligned or the relationship is neutral. Some of the challenges in DevSecOps are:
DevSecOps Challenges | Source: Cobalt
Closing Thoughts
There’s clearly some work to be done. Yes, there are gaps in skills, technology integrations, resource alignment, and the fact that evaluation through techniques such as pentesting can be cost-intensive. If you think about it, each of these can have a domino effect.
Unskilled or even semiskilled workers may not pay heed to appropriate integrations, thus degrading not only the basis of the application security, but also the foundations of DevSecOps. Cost is probably the one area that is independent of the others.
Cobalt is ideally placed to tap into companies facing exactly this problem, of bringing resources pertinent to pentesting together. Pentesting is currently a $1.6 billion marketOpens a new window , slated to grow to $3 billion through 2026 at a moderate CAGR of 13.8%.
Note: The State of Pentesting 2021 is based on data collated by Cobalt from 1,602 pentests the company did in 2020. Cobalt also interviewed 601 IT security professionals working in companies with 500+ employees across the United States, Germany, Austria, and Switzerland.
Let us know if you enjoyed reading this story on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!