Web developers spend more than half their time chasing down cybersecurity issues, and yet a third of these still reach the user-end production stage without being flagged. This is due to poor digital hygiene practices that stem from an internal culture of conflict at organizations, research suggests.
Infosecurity firm Invicti assessed nearly a thousand organizations on its client roster, around half of which are based in North America, discovering more than 280,000 “direct impact vulnerabilities” arising from what it described as “a disconnect between the reality of risk and the strategic mandate for innovation.”
“It isn’t always easy to get everyone on board with security, especially when it seems like it is holding you back from project completion or will be too costly to set up,” said Invicti. “But what most budget-holders don’t realize is that security and innovation go hand-in-hand.”
Moreover, speed of delivery did not even appear to be a beneficiary of this conflicted attitude to cybersecurity, with 80% of organizations saying that such issues caused service delays in any case.
Citing “staggering” numbers, which revealed that web developers spend 51% of their time trying to resolve digital security issues, Invicti urged employees working for different departments within organizations to stop seeing each other as rivals and instead start working together.
“Both development and security teams are suffering similar stressors,” said Invicti. “Both are stretched thin as they contend with antiquated tooling, disjointed processes, and too much manual work. This dynamic causes friction and the sense of a zero-sum game between innovation and security.”
Invicti warned organizations that they would suffer the consequences if such internal conflicts – and their resulting impact on cyber hygiene – were not resolved.
“We also uncovered that one in three security issues identified in scanning made it to production without being flagged in the development or test stages,” said Invicti. “That's a big problem that can lead to serious security risk and debt over time.”
To further illustrate the magnitude of the problem, it cited research by computer company IBM that found the average cost of a single cyber attack rose to $4 million last year – its highest level since 2004.
As for the threats themselves, the key offenders identified by the Invicti report were remote-code execution (RCE), cross-site scripting (XSS), and SQL injection (SQLi).
“These vulnerabilities can lead to consequences such as compromised back-end data, hijacked sessions, or forced actions on behalf of other users and services,” said Invicti.
Remote-code executions – which allow threat actors to run malware on target computers and have grown in popularity partly due to the Log4Shell vulnerability that was discovered last year – have increased by 5% since 2018.
Describing them as “the ultimate goal of any attacker”, the Invicti report said: “If a web application is vulnerable to RCE, a remote attacker can trick it into doing practically anything that the application’s programming language allows.
“This can include installing a web shell to provide convenient remote access to extract sensitive data, deploying malware, or probing and attacking other systems on internal networks. Having even a single RCE vulnerability in a production environment puts you at risk of a complete system compromise.”
“Though considered a low-impact vulnerability by many developers, XSS is dangerous because it can open the way to sensitive data disclosure, session hijacking, redirects to malicious sites, malware installation, and social engineering attacks,” said the report.
“For example, threat actors may send out legitimate-looking links that start with your known and trusted domain name, but end with disguised malicious script code that exploits a cross-site scripting vulnerability in your website. In effect, anyone clicking that link to your website will be attacked and assume that the attack came from your site.”
As for SQL injections, used by black-hat hackers to unlawfully gain access to databases, these seemed to be disproportionately targeting educational and government bodies, with around a third of each experiencing such attacks.
“A successful SQL attack can lead to compromised credentials, leaked company data, or even complete data loss,” said Invicti. “Couple that with the associated costly downtime, and it is an expensive problem. Despite being one of the oldest web vulnerabilities with well-known mitigation methods, SQL injection still occurs in modern web applications.”
Echoing the report’s findings, Invicti president Mark Ralls said: “Once again, we’ve seen that even well-known vulnerabilities are still prevalent in web applications. It’s time for organizations to gain command of their security posture. The only way to do that is to ensure that security is in the DNA of an organization’s culture, processes, and tooling.”
More from Cybernews:
Subscribe to our newsletter