The Open Web Application Security Project (OWASP) has just updated the top ten list of web app vulnerabilities for the first time since 2013. Not much has actually changed.
According to the list
the top vulnerability remains 'injection', and cross site scripting (XSS) is still in the top ten despite it plaguing web apps for a decade and a half now.
Given that Verizon's Data Breach Investigations Report (DBIR)
for 2017 also found that of 1,935 confirmed breaches analysed, some 571 had involved web app attacks, the seriousness of the OWASP list becomes clear.
Altogether this paints a rather sad picture of an industry that hasn't learned lessons. But is that portrait a fair representation of the web application development business? Is it really a case of developers refusing to smell the insecurity coffee, or is there something more complicated at work here?
Ilia Kolochenko, CEO at High-Tech Bridge, told SC Media that this can probably be explained by "high customisation of web applications." With start-ups creating their own web-based apps or implementing some level of customisation as a rule, he has a point. "At the same time" Kolochenko continues "they try to save money and consequently hire inexperienced developers." This leads to a toxic cocktail of new code and unaware or careless developers unavoidably leads to numerous vulnerabilities.
Tod Beardsley, research director at Rapid7, agrees that the latest OWASP revision "seems to be an indictment of the current culture of roll-your-own web application development" arguing specifically that it indicates a "lack of security validation for rapidly deployed applications."
The proliferation of third party libraries, to speed up this application development, has almost certainly seen the impact of vulnerable dependencies being amplified. "The silo nature of both application development and security" Claudio Camerino, managing consultant and AppSec lead at NTT Security reminds SC Media UK "has meant there has historically been a disconnection between the two."
There is, without very much doubt, an astonishing lack of security when it comes web applications. When you delve deeper, however, there are clear drivers perpetuating the problem. Wieland Alge, general manager EMEA at Barracuda, points to "the shortage of experienced developers" for example. "The skillset and experience required to enter into the world of web application programming is surprisingly low" Alge insists "therefore, a significant part of any web application code is usually written by juniors who are beginners in the grand scheme of things."
Meera Subbarao, senior principle consultant at Synopsys, also told SC Media that it's key to "build a culture within the development teams that facilitates proactive secure development." Indeed, such a fundamental behaviour change can "help ensure developers do not make the same mistakes like XSS and Code Injection in the first place" according to Subbarao.
And everyone would agree with Ken Munro of Pen Test Partners that "SQL injection should be gone by now as it's generally an easy problem to solve and the solutions today are the same as they were five years ago." Munro puts the persistence of the issue purely down to inertia.
When you consider that Black Duck's 2017 Open Source Security and Risk Analysis
(OSSRA) report found open source in 96 percent of the commercial software tested, and known vulnerabilities in two-thirds of those code bases, it's an inertia that's proving very costly. "This lack of visibility is seen even in companies with strong application security programs" insists Black Duck's VP of security strategy, Mike Pittenger.
Such research, and the OWASP top ten specifically, uses data "mostly from companies that offer services to find those type of issues" says Pedro Fortuna, CTO at Jscrambler, who continues "and that alone distorts this benchmark." Graeme Park, senior consultant at Mason Advisory, also argues that as the list is constructed from community feedback from application security specialists, it's seen "through a biased lens that benefits their particular areas of expertise."
Yet the same arguments can also be applied to the problem of web app development insecurity. With many organisations having no software development lifecyle framework to define how tasks are performed at any given step in the process, the developer alone is often relied upon to test code for vulnerabilities. This, says Trend Micro principal security strategist Bharat Mistry, is "akin to marking your own homework."
It's not all bad news though, while legacy applications suffer from continuing problems as highlighted by the OWASP list, new projects are a different beast. "Despite the steady stream of problems being publicised in the media, big important applications are getting better" Andrew Scott, assurance lead at Context Information Security insists, concluding "we see a maturity of approach in projects that work to design-in defences against hacking, including the OWASP Top 10 vulnerabilities, from the start of their projects, and this absolutely works..."