Imagine a spy movie scenario in which you’ve got a team of agents all operating on the same side. But there’s a catch. One teammate has been compromised, giving the enemy a way to infiltrate the team to cause problems. This compromised team member hasn’t necessarily decided to turn on their teammates: perhaps they’ve just got a blind spot that allows them to be manipulated. Nonetheless, it spells bad news for their colleagues and could bring all of them down in the process.
This analogy could well apply when it comes to application security, and the vulnerabilities in apps that are relied on by businesses and organizations. A security vulnerability refers to a software bug that can be exploited by bad actors in order to cause harm, whether this is exfiltrating sensitive data or breaking into systems to spread malware. All software has minor bugs, although not all of these bugs are security vulnerabilities. Nonetheless, the number of apps that do have such vulnerabilities is terrifyingly high.
According to one study, upward of 50% of the apps that are used in sectors including (but not limited to) healthcare, education, utilities, public services, and manufacturing have at least one serious vulnerability open for exploitation. Manufacturing apps turned out to have the highest proportion of serious vulnerabilities, with 70% of them featuring at least one, the study claims.
More than Half of Apps Contain Vulnerabilities
This kind of vulnerability rate would be alarming at any time. However, it’s considerably more so at a time when reliance on digital infrastructures, such as the number of apps being used, is at an unprecedented height.
Potential vulnerabilities in individual apps are devastating not just because they can affect the apps in question, but also because they make it possible for attackers to potentially break into systems or access proprietary information.
In all, tens of thousands of new vulnerabilities are discovered each year, many of which are documented in compendiums of publicly disclosed computer system security vulnerabilities such as the Common Vulnerabilities and Exposures (CVE) and US National Vulnerability Database (NVD). With applications today having to present multi-dimensional web-facing, mobile, and API-based interfaces, it makes it even harder for developers to guarantee (or even hope for) vulnerability-free software.
The Patching Problem
One of the big challenges when it comes to cracking down on these vulnerabilities — and their effects on businesses — involves patching. Patching refers to changes that are made to a computer program in order to update or otherwise improve it. Commonly, a patch refers to over-the-air updates available for software packages, which frequently address newly discovered bugs or security vulnerabilities.
In many cases, legitimate developers will react quickly when new vulnerabilities are brought to their attention, either discovered by their own software engineers, or alternatively security professionals, ethical hackers, or customers. No serious company wants its software to contain flaws that could compromise a user. But, while some developers will move fast, others won’t do so fast enough. According to the aforementioned study about app vulnerabilities, the average time to fix critical vulnerabilities is very high, numbering at 189 days, or around six months, across all of the industries, included.
Even when patches are available, there is no guarantee that this means the end of the vulnerability in question. A patch requires that users download and install it. That shouldn’t be too tough — except that, in almost all cases, computer users use more than just one program. This means keeping on top of a daunting number of patches being constantly released, not all of which are issued to address critical flaws.
Knowing which ones to prioritize is by no means easy. This is compounded by the cybersecurity skills gap, with many workplaces not having nearly enough knowledgeable experts on hand to help them navigate this world. According to one recent survey of professionals in cybersecurity, 57% described the skills shortage in this area at their own workplaces as being either “bad” or “very bad.”
Protecting Your Business
This convergence of factors can conspire to make vulnerabilities extremely dangerous, and becoming more widespread all the time. Fortunately, there are ways to protect yourself as a business or organization. What is needed, first and foremost, is the implementation of a scalable application security system. Invest in the right tools which can block the exploits of unpatched vulnerabilities — even when those vulnerabilities haven’t necessarily been patched.
Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) are game-changing creations when it comes to helping mitigate the effects of potential exploited vulnerabilities. They are able to assess potential incoming threats and stop them in their tracks, which includes filtering malicious request payloads and inputs.
It would be amazing to live in a world where applications were made bug-free with no vulnerabilities. But it would also be wonderful to live in a world where it was safe to leave your car unlocked and your front door opens all the time. With neither of those looking likely to appear any time soon, it’s smart to take cybersecurity matters into your own hands, the same way that you’d make sure your home or personal possessions are properly secured.