YOUR business website has at least one severe vulnerability – giving hackers open access – what can you do?

Statistically your company website already has at least one severe flaw – and there could be many more, says Ian Muscat. Why are website vulnerabilities so frequent and on the rise? What should organisations be focusing on and how can they protect themselves in the future?

For the first time globally, the majority of websites now contain severe vulnerabilities. It’s not surprising then that industry estimates show two-thirds of businesses have already suffered a breach or attack online, and Juniper Research estimates that rising annual cyber-crime costs are projected to quadruple to US$2 trillion (£1.5 trillion) by 2019.

There are around one billion websites globally, and millions of web apps in existence – so we can see the scale of the potential attack surface. There are more vulnerabilities than ever before, giving more opportunities to cyber-criminals. In fact they are almost spoilt for choice.

It’s commendable that organisations want to embrace digital philosophies and adopt systems such as BYOD, remote working, and engaging with customers digitally to make their lives easier and more connected. Obviously they don’t do it for purely altruistic reasons, of course it raises much needed revenues. But with increasing speed in delivering these services comes a reducing focus on security.

Poor security is costly

Today’s development teams wield considerable power in the company as they implement the CIO’s vision, often dictating a firm’s digital strategy. But in practice this means that teams are under mounting pressure to deliver apps for staff and customers, while security can often take a back seat.

As the software moves from development to staging and production, flaws can creep in and the longer they go unnoticed the more costly they are to fix. For example, fixing a ‘live’ vulnerability can cost up to 10x times as much as catching it at the development stage. Of course it’s not only internal costs, but the additional costs of data breaches – bad PR and potential fines can be massive. We’ve all seen the devastating headlines showing high profile data breaches, orchestrated by a range of criminals from disgruntled ex-employees to organised gangs, most recently Dropbox, LinkedIn and TalkTalk. These costs and bad publicity should be major deterrents, but as we have seen, security is often left wanting.

Which vulnerabilities are the biggest problem?

The Web Application Vulnerability Report 2016, conducted by Acunetix, looked at 45,000 website and network scans done on 5,700 scan targets from April 2015 to March 2016. Results show that not only do 55 percent of websites have one or more high-severity vulnerabilities, but this has significantly deteriorated in just one year, rising by nine percent over 2015’s report. In addition, 84 percent of web applications were found to have medium-severity vulnerabilities, while 16 percent of perimeter network assets were also susceptible to at least one medium severity vulnerability.

Cross-site Scripting (XSS) is still the most common attack vector (33 percent), even though there has been a six percent reduction since last year. Contrastingly, Vulnerable JavaScript Libraries (which open up a web app to XSS attacks) has shown a significant increase, more than doubling since last year, and is now the second most common vulnerability (27 percent). SQL Injection is still high at 23 percent, even after dropping back slightly since 2015.

Organisations need to be clear on what this means – a high-severity vulnerability could allow attackers to gain unauthorised access to data and systems, potentially to sensitive financial, customer, health data and trade secrets. They could also move to other systems to escalate the attack even further.

What steps should companies be taking?

It’s critical to put a plan in place to prioritise problem areas – and actually start tackling them – to protect your brand’s online real estate.

Businesses can identify problem areas and fix them by following these steps to help significantly reduce the chance of a cyber-attack: Use an automated vulnerability scanner, such as Acunetix; Understand your assets and identify which have a higher priority; Bake security into your development process, rather than bolting it on afterwards; Understand the environment in which your application is deployed and what dependencies it has; Remember, when designing your app one key mantra to use is ‘never trust the user’.


Leave a Reply