A worrying number of commonly used applications have very serious security flaws, especially those used by companies in the technology sector, according to new research.
A Veracode report that analyzed 20 million scans across half a million applications across technology, manufacturing, retail, financial services, healthcare and government found that 24% of applications in the technology sector have high-severity defects.
Comparatively, this is the second highest proportion of applications with security vulnerabilities (79%), with only the public sector having the worst situation (82%).
correct defects
Among the most common types of vulnerabilities are server configurations, insecure dependencies and information leaks, the report states, saying that these findings "broadly follow" a similar pattern to other industries. However, the industry has the widest disparity from the industry average when it comes to crypto issues and information leaks, leading researchers to speculate about how industry tech developers are more knowledgeable about the challenges. of data protection.
When it comes to the number of problems solved, the tech sector falls somewhere in the middle. However, companies are relatively quick to resolve issues. It takes them up to 363 days to fix 50% of the defects. Although this is better than average, there is still a long way to go, Veracode added.
For Chris Eng, director of research at Veracode, it's not just about finding bugs, but also about reducing the number of bugs introduced into the code in the first place. In addition, he believes that companies need to focus more on automating security tests.
“Log4j sparked a wake-up call for many organizations last December. This was followed by government action in the form of guidance from the Office of Management and Budget (OMB) and European Cyber Resiliency Act, both of which focus on supply chain," Eng said. "To improve performance in the coming year, technology companies should not only consider strategies that help developers reduce the rate of introduced vulnerabilities in code, but also place more emphasis on automating security testing in the continuous integration/continuous delivery (CI/CD) pipeline to gain efficiency »
Cybercriminals often scan Internet-accessible applications used by companies for vulnerabilities and code loopholes. When they find one, they often use it to deploy web shells, which then give them access to the corporate network and endpoints (Opens in a new tab). After mapping the network and identifying all the devices and data, they can launch the second stage of the attack, which is usually ransomware, malware, or data wipers.