Sqreen recently published its inaugural State of Application Security 2020 Report, analyzing thousands of real security events happening at runtime across Sqreen customer applications. Rather than rely on self-reported data, the insights outlined in this report include data from actual in-app vulnerability exploits to give readers a real-time look into the true state of application security. We created this report to help security and technology leaders better prioritize their security and development decisions in the future and to share our findings with OWASP to build their upcoming Top 10 2020 report.
In this post, we wanted to share some key takeaways from Sqreen’s State of App Sec 2020 report.
Exploits increased by 4x year over year
Our report looks at real exploit data (ie real malicious activity that have successfully exploited vulnerable code) not just noisy malicious payloads or WAF attack data. In looking at the actual exploits that made it into production environment’s we saw a significant increase in exploits year over year from 2.3% to 9.3%. An increase in exploits could be a result of numerous conditions including faster deployment cycles, increasing focus on distributed architectures, increasing incentives for cybercriminals etc. The important thing to note is to take extra care of your web applications as you grow and continuously monitor and secure your applications.
SQL injections remain a top problem
In our analysis, SQL Injections made up 47% of attempted exploits. We dug into the data to understand which technologies were most susceptible to them, with some interesting results.
Ruby applications were shown to have the most SQL injection occurrences, with nearly 70% of Ruby applications experiencing a SQL injection attempt. Java was the least susceptible with 28% of apps experiencing a SQL injection.
As a refresher, A SQL injection is a high severity vulnerability and occurs when a malicious actor modifies the structure of a SQL query in a way that was not intended by the developers. Exploiting this type of severe vulnerability could put your web application security at critical risk.
For more than 15 years, SQL injections have been some of the most common and dangerous threats to web applications on the OWASP Top 10. As we can see from our data, these security attacks are still happening today across technologies and continue to increase over time. There are numerous ways to protect against injections especially if you are writing in Ruby and Node.js: by using safe APIs, setting up input validation, using SQL controls like LIMIT, escaping special characters when not needed, and using RASP and In-app WAF to block these requests at runtime.
PHP apps were 3x more likely to be exploited
PHP technologies experienced the largest number of attempted exploits with 3x more exploits than all other applications. An extraordinary 20% of PHP applications experienced an exploit, while other languages averaged around 7%.
The likely culprit for these high exploit numbers is legacy PHP apps with no active development. It’s often hard to keep up with security when developers are not actively working on a legacy app. There are several approaches and techniques for securing legacy PHP apps through testing, improving your security posture, reviewing vulnerable 3rd party code, integrating security into your software development lifecycle (SDLC), and including RASP and In-app WAF approaches to block attacks at runtime. These recommendations can help you stay on top of most of your vulnerable legacy applications.
Exploits still occur in applications with frameworks
While PHP apps historically experienced the highest number of attempted exploits, we wanted to know which PHP frameworks were most likely to experience vulnerability exploits.
61% of exploited PHP applications did not have a framework in place. While 39% of exploited PHP applications did have a framework in place. The exploits were pretty evenly distributed across PHP apps that did have frameworks and show no significant differences across them. It isn’t a surprise that most PHP exploits occurred on apps with no frameworks, as frameworks offer various commodities to guide developers into using a secure way to build applications. Frameworks, however, are not a silver bullet (as we can see from the data) and are still vulnerable. Even more modern frameworks, like Laravel, have been exploited.
Similarly, all Ruby applications with Rails framework continued to see increases in SQL injections particularly from admin pages and API endpoints. Nearly 70% of Ruby on Rails apps experienced a SQL injection with 46% of injections coming from Admin pages or API endpoints. A robust and secure framework, like Rails, doesn’t make you completely invulnerable. Security and technology leaders must ensure their frameworks are used effectively across all parts of their application to drive the most impact. As we can see from the Ruby on Rails data, it’s important to pay close attention to your admin pages and API endpoints.
Adopt in-app protection for evolving architectures
It’s clear from the data that critical vulnerabilities make it to production all the time. While you should do your best to detect and remediate them before they ever get to production, you should also consider security approaches in production that evolve as your architecture evolves.
The great news is there is a lot of sophisticated software and best practices to help you detect and protect your application, APIs, and microservices against malicious attacks.
As we move to the future of architecture, detecting vulnerabilities in your applications, APIs and microservices should take an in-app approach. Relying solely on automatic testing tools to detect vulnerabilities in your applications pre-production can be helpful but may deliver a lot of false positives, and are unlikely to catch everything.
We recommend establishing a multi-layered approach that brings security into various layers of your application and SDLC, like Sqreen RASP & In-App WAF, that can help ensure real-time protection for your apps.
For more state of app security insights read the full “State of App Security 2020 Report” here.