New research shows that while all sectors are at risk, 70% of manufacturing apps have vulnerabilities.
Web-facing applications continue to be one of the highest security risks present for organisations, with more than 40% of them actively leaking data in a way that can have a ripple affect across businesses and their partners, research discovered.
Manufacturing is particularly vulnerable to attacks through these apps, with 70% of applications having at least 1 serious vulnerability open over the previous 12 months, researchers found.
That’s according to a report from app-security firm White Hat Security, “AppSec Stats Flash Volume 3,” which outlines how the increased prevalence of applications that are exposed to the internet through web, mobile & API-based interfaces has increased the attack surface and thus the security risk for organisations & their supply chains across the board.
Among the findings of the report include a consistency of the top 5 vulnerabilities found in internet-facing apps in the last 3 months, researchers found. Those flaws are: Information leakage, insufficient session expiration, cross-site scripting, insufficient transport layer protection & content spoofing.
Cloud applications are currently driving the global economy, especially in a post-pandemic world in which business is increasingly done over the internet. However, more web-based applications & data in the cloud also means a higher risk of data breaches.
Applications are increasingly multi-sided, with access through web, mobile & API-based interfaces. That makes application security a multi-dimensional challenge, researchers said.
“We continue to find that window of exposure, a key measure of exploitability remains very high,” Setu Kulkarni, VP of Strategy at White Hat, explained. “What that means is that web-facing applications & APIs continue to have serious exploitable vulnerabilities throughout the year.”
What happens when an adversary attacks the supply chain was very evident recently thanks to the ongoing SolarWinds debacle, in which adversaries used SolarWinds’ Orion network management platform to infect users with a stealth backdoor called Sunburst (a.k.a. Solorigate). That in turn opened the way for lateral movement to other parts of a network.
Indeed, supply-chain attacks can be particularly damaging because they affect connected systems & business applications that are linked more than ever before through predominantly API-based integrations, Kulkarni observed.
This threat is made worse by a further key finding — that that the average time an organisation takes to fix critical vulnerabilities is still over 190 days, with the top vulnerability classes remain relatively the same, giving bad players an “easy way” to get into corporate networks, he observed.
“Pedestrian vulnerabilities continue to plague applications,” researchers commented. “The effort & skill required to discover & exploit these vulnerabilities is fairly low, thus making it easier for the adversary.”
Manufacturing at Greatest Risk
The manufacturing sector seems particularly susceptible to being attacked by vulnerabilities in web-facing applications likely because it was “traditionally never internet-connected as an industry,” then had to rapidly transition legacy systems & software to keep up, Kulkarni outlined.
“The lift & shift of applications that were never meant to be internet-facing to become internet-enabled has likely resulted in this high risk,” he stated.
Another factor putting manufacturing at greater risk is that supply chains are now increasingly software-driven, which means business partners are now having to open up otherwise internal applications to integrate with supply-chain partners. This again results “in existing vulnerabilities that were previously unexploitable to become publicly exploitable,” Kulkarni explained.
Remediation of Vulnerabilities
However, the remediation of vulnerabilities present in an organisation’s internet-facing apps is “an immediate & imminently achievable goal for development & security teams,” researchers wrote in the report. That journey toward better security starts with organisations taking measures toward “reducing the risk of being breached in production,” Kulkarni explained.
“Organisations must take inventory of public-facing apps, scan them continuously in production & take a risk-based approach to fix in-production issues,” he concluded. “That is step one.”