F5 Labs released a report revealing that web application security issues constituted the majority of cyber threats in the last half a decade. The report also found that web application issues took almost four times longer to discover relative to other extreme events.
The researchers analyzed the IRIS 20/20 Xtreme report examining the 100 largest cyber losses in 5 years, amounting to $18 billion and 10 billion compromised records, and Verizon’s Data Breach Investigations Report (DBIR). The researchers analyzed both reports using MITRE’s ATT&CK framework.
Web application security issues cause most data breaches
F5 Labs’ report found that web application attacks were the leading incident pattern among data breaches for 6 of the last 8 years.
Additionally, more than half (56%) of all the largest software security incidents experienced over the last 5 years originated from a web application security issue.
Using the ATT&CK framework, they found that the top 2 initial access methods relied on exploiting public-facing web applications. Additionally, 12% of threat actors exploit public-facing web-based applications while 42% exploit valid user accounts on the web apps to compromise targeted organizations.
Unsurprisingly, 57% of all the losses from the largest web application security incidents originated from state-affiliated threat actors. And almost one in every five major web application security incidents were attributed to state-affiliated attackers, with losses amounting to $4.3 billion.
The report also found that web application security exploits took 254 days to detect compared to 71 days for other extreme loss events.
Cross-site scripting and SQL injection attacks rank the highest
The F5 Labs report noted that there lacked consensus among experts on the most common type of web vulnerabilities. However, using a ranking mechanism showed that SQL injection attacks (SQLi) and cross-site scripting (XSS) vulnerabilities rated the highest.
Various sources reported that the prevalence of SQLi attacks was between 15% to 76% while XSS attacks varied between 4% to 54%. Additionally, each report analyzed showed subsequent higher rates of attacks for every recent year.
Other common vulnerabilities include broken authentication, sensitive data exposure, security misconfiguration, and broken access control.
Insecure deserialization and XML External Entities (XXE), which could lead to the injection of malicious code and remote code execution attacks (RCE), ranked moderately. Other vulnerabilities like using components with known vulnerabilities and insufficient logging and monitoring were poorly reported, thus scoring lower on F5’s scale.
Some web application vulnerabilities were missing in some reports because not all sources report according to OWASP categories, the researchers explained. Additionally, F5 adopted a ranking mechanism instead of reporting percentages, unlike the sources that measured different types of applications, for example, web applications vs. open-source software libraries.
“Attempts to analyze and compare the prevalence of various types of attacks and vulnerabilities across multiple sources suffers from a Tower of Babel effect.”
Web application security remains a challenge
The researchers said that attempts to improve web application security had so far failed despite attempts to adopt various open standards.
“It’s clear that some have tried to do that by adopting standard vulnerability frameworks like the Open Web Application Security Project (OWASP) Top 10, but that often doesn’t translate well to the attack side.”