Using anonymized data from three years of tests conducted on commercial software systems and applications, the recently published Software Vulnerability Snapshot report from Black Duck focuses on exposing persistent vulnerabilities that are significant challenges to web and software application security, including the top three vulnerability types related to
Information leakage occurs when sensitive information is exposed to unauthorized parties. For example, a website might leak data about users, such as usernames or financial information, through some type of security misconfiguration.
The OWASP Top 10 list includes information disclosure under the A01:2021—Broken Access Control category and notes that more vulnerabilities fit into this category than any other. Notable vulnerabilities in this category include exposure of sensitive information to an unauthorized actor, exposure of sensitive information through sent data, and cross-site request forgery.
Related to information leakage/disclosure, application privacy failure occurs when an application has not been properly designed, implemented, or patched, resulting in a potential privacy breach in which an unauthorized user can access data or content.
These vulnerabilities were discovered by Black Duck® Security Testing Services.
Security misconfigurations can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and preinstalled virtual machines, containers, and storage. Such flaws frequently give attackers unauthorized access to system data or functionality, occasionally even resulting in a complete system compromise.
Another example of the prevalence of security misconfigurations, application misconfiguration is the fifth-most-dangerous risk on the OWASP Top 10 list of vulnerabilities.
Many applications come with developer features such as debug and QA features that are dangerously unsafe if not deactivated when deployed. Configuration files that are not properly locked down may reveal clear text (unencrypted text that can be read by anyone), and default settings in configuration files may not have been set with security in mind.
Insufficient transport layer protection security weaknesses are caused by applications not taking measures to protect network traffic. During authentication, applications may use SSL/TLS, but they often fail to use it elsewhere in the application, leaving data and session IDs exposed.
Many mobile applications have specific issues with insufficient transport layer security, to the point where OWASP has dedicated a category in its OWASP Mobile Top 10 list to it.
Implement a multilayered security approach. Relying on a single solution such as static application security testing (SAST) may not be sufficient to uncover security issues such as misconfigurations or information leakages. Organizations should implement a multilayered security approach that combines SAST to identify coding flaws, dynamic application security testing to examine running applications, software composition analysis to identify vulnerabilities introduced by third-party components, and penetration testing to identify issues such as misconfigurations as well as vulnerabilities that may be missed by other tests.
Determine whether you need to supplement your security testing. Does your team have sufficient application security skills and resources to test for security defects? Do they have the time to test your software at the level demanded by regulators and your customers?
Choose a vendor that can augment your team with on-demand, expert security testing.
Black Duck offers a full spectrum of testing services, including penetration testing, dynamic application security testing, static application security testing, mobile application security testing, network penetration testing, red teaming, IoT and embedded software testing, and thick client testing.
Augment your team with our on-demand resources to protect your software, your business, and your customers. Contact Black Duck today to schedule a free consultation.