The number of vulnerabilities in major web-application frameworks has declined since peaking most recently in 2016, but attackers have remained focused on exploiting weaknesses in the software platforms, according to an analysis published by cybersecurity firm RiskSense on March 16.
The result is that while major frameworks such as Apache Struts and platforms such as WordPress have seen fewer overall vulnerabilities, the weaponization rate climbed to 8.6% in 2019, exceeding the 3.9% rate for the National Vulnerability Database as a whole. The data suggests that although the groups and organizations responsible for maintaining the frameworks have become better at securing the code, attackers remain focused on finding ways to use the even smaller number of security bugs to compromise web application servers, says Wade Williamson, a researcher with RiskSense.
“Web application frameworks are the last piece of code that people pay attention to,” he says. “But they are Internet-facing, there are a lot of them, and they are easy to find once they are out there.”
The data suggests that companies should take stock of their web application frameworks from the standpoint of security. The typical website is scanned by automated attacks targeting exploitable vulnerabilities dozens of times a day, past research has shown.
Because developers typically are not going to help maintain the actual framework, and producing patches for web application frameworks can sap a great deal of developer productivity, selecting the right platform for a company’s web applications is extremely important, Williamson says.
“No matter how good of a developer you are, if there is a vulnerability in your framework, your application is going to be vulnerable,” he says. “As a developer and an organization, choosing a framework is a big deal — it is what the security of your apps will rely on.”
While the rate of exploitation — or weaponization, as RiskSense calls it — has increased, the absolute number of exploits has not risen by much. The increase in the rate of weaponization is more due to the drop in vulnerabilities in the frameworks overall — a positive sign.
However, WordPress, Apache Struts, and Drupal — along with their parent languages PHP and Java — continue to have the highest rates of weaponization, Williamson says.
“We have been seeing very different types of problems in the past five years versus the past 10, but even as that changed, the problems with weaponization were still in the same spots,” he says. “The hot spots remained the same.”
It’s not just a measure of their popularity or of the framework’s age, he adds. Apache Struts, for example, is declining in popularity but has had a significant number of vulnerabilities,
“I think Apache Struts is one of the first frameworks that I, as a developer, would consider moving away from,” he says. “It is not just about who has the broadest footprint, because the attackers are still very active in investigating certain frameworks, even as their popularity goes down.”
The Python frameworks have become very popular and both the number of vulnerabilities found in popular frameworks, such as Django and Flask, and the weaponization rates have been very low.
However, web application frameworks have evolved over time, as have the vulnerabilities that attackers have found. In 2010, cross-site scripting, input validation, and permission errors topped the list of reported security issues. In 2019, the top three issues were input validation, information exposure, and access control. Cross-site scripting has fallen to the fifth most exploited issue.
“Upgrading frameworks is kind of a pain and risky for developers because as you move from version to version, you have to maintain your changes,” he says. “So, to me, the choice of framework is one of risk and the level of maintenance you can tolerate.”
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Beyond Burnout: What Is Cybersecurity Doing to Us?“
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio