CyCognito [1] [2] [3] [4] [5] [6] [7], an External Attack Surface Management platform [5], recently released its semi-annual “State of External Exposure Management” report [5]. This report sheds light on the vulnerability crisis in web applications and highlights the urgent need for improved security measures.
Description
Based on the analysis of 3.5 million assets [2] [3] [5], including those of Fortune 500 companies, the report reveals that a staggering 74% of web applications have personally identifiable information (PII) that is vulnerable to known major exploits [7]. The average enterprise has over 12,000 web apps [7], with at least 30% of them having exploitable or high-risk vulnerabilities [7]. This highlights the urgent need for improved security measures to protect against these vulnerabilities in web applications [4].
The report also highlights critical vulnerabilities in web applications [1], with about 70% lacking essential security measures such as Web Application Firewall (WAF) protection or an encrypted connection like HTTPS [7]. Half of these vulnerable web apps are hosted in the cloud [7]. Furthermore [1] [3] [7], a shocking 98% of web apps may be in violation of GDPR due to the absence of an option for users to opt out of cookies [7]. This raises concerns about GDPR compliance and emphasizes the need for organizations to focus on remediation of vulnerabilities at choke points to prevent significant harm.
The research underscores the importance of full-scope visibility of all assets to address critical risks within an organization’s attack surface [2]. It reveals that over 3,000 web applications have at least one exploitable or high-risk vulnerability, with half of them hosted in the cloud [2] [5]. This highlights the urgent need for improved security measures to protect against these vulnerabilities in web applications [4]. The report emphasizes that no business is immune to risk and that unknown and undiscovered assets pose a significant threat to organizations [3].
CyCognito aims to provide organizations with visibility into their attack surface and help eliminate exposure to potential threats [5]. Security experts recommend a multi-pronged approach to mitigate risks [1] [6], including regular vulnerability scans [1] [6], prompt patching [1], multi-factor authentication [1] [6], robust encryption [1], least privilege principle [1] [6], staff training [1] [6], incident response plan [1] [6], network segmentation [1] [6], external assessments [1], and regular data backups [1] [6]. CEO of CyCognito [7], Rob Gurzeev [7], warns that attackers are always ahead [7], and our attack surfaces constantly change [7], making them moving targets with security gaps [7]. George McGregor [7], VP at Approov [7], emphasizes the need to identify and remove underused apps and prioritize mobile app security [7]. It is clear that PII remains highly vulnerable [7], and external exposure management needs improvement [7].
Conclusion
The report’s findings have significant implications for organizations. The high percentage of web applications with vulnerable PII highlights the urgent need for improved security measures. The absence of essential security measures and GDPR compliance issues further emphasize the need for organizations to address vulnerabilities. The report underscores the importance of full-scope visibility and a multi-pronged approach to mitigate risks. It is crucial for organizations to prioritize security measures, regularly assess vulnerabilities, and take prompt action to protect against potential threats.
References
[1] https://www.infosecurity-magazine.com/news/study-reveals-web-apps/
[2] https://www.darkreading.com/cloud/cycognito-finds-large-volume-of-personal-identifiable-information-in-vulnerable-cloud-and-web-applications
[3] https://betanews.com/2023/08/18/74-percent-of-cloud-and-web-applications-with-pii-are-vulnerable-to-exploits/
[4] https://article.wn.com/view/2023/08/18/Yourpersonalinfocanbestolenthankstoloadsofvulnerab/
[5] https://zephyrnet.com/cycognito-finds-large-volume-of-personal-identifiable-information-in-vulnerable-cloud-and-web-applications/
[6] http://pfete.com/index.php/2023/08/18/cybersecurity-study-reveals-web-app-vulnerability-crisis/
[7] https://thenimblenerd.com/article/rainy-days-in-cyber-world-how-web-apps-leave-us-drenched-in-vulnerabilities/
