Here is a snapshot of the commonality of various vulnerabilities and risks found in software developed in-house between 2021 and 2023

In analyzing web applications developed in-house between 2021 and 2023 by IT, government, insurance, telecommunications, cryptocurrency, e-commerce, and healthcare organizations for vulnerabilities, a cybersecurity firm has made some observations.

Predominantly, vulnerabilities in such web applications involved the potential for malicious use of access control flaws, and failures in protecting sensitive data (i.e., exposure of sensitive data). In the former case, attackers can try to bypass website policies that limit users to their authorized permissions. This can lead to unauthorized access, the alteration, or deletion of data, and beyond. The latter type of vulnerability involves the exposure of sensitive information like passwords, credit card details, health records, personal data, and confidential business information. In terms of cyber risk, the largest proportion of vulnerabilities posed a high risk associated with SQL injections.

Another significant share of high-risk vulnerabilities was found to be linked with weak user passwords. A majority of such vulnerabilities was classified as high-risk.

Other findings

  • server-side request forgery (medium-risk incidence most common)
  • cross-site scripting (medium-risk incidence most common)
  • broken authentication (medium-risk incidence most common)
  • security misconfigurations (low-risk incidence most common)
  • insufficient protection from brute-force attacks (low-risk incidence most common)
  • using code components with known vulnerabilities (low- and medium- risk incidence most common)

According to security expert Oxana Andreeva, Kaspersky, the firm divulging its findings from its user eecosystem, by considering the most common vulnerabilities in web applications developed in-house in various firms and the level of risk involved, more awareness can be raised about application development security. “For instance, one vulnerability could enable attackers to steal user authentication data, while another could help execute malicious code on the server, each with varying degrees of consequences for business continuity and resilience,” Andreeva said.

To improve the security of web applications and to detect possible attacks on them in a timely manner, the firm recommends its client corporations to use secure software development lifecycles, perform regular application security assessments, and enforce logging and monitoring mechanisms.