One third of applications is insecure and potentially accessible to malicious actors

'State of Application Security 2024' shows that despite significant risks, attention to software security falls short

Application security gets too little priority in The Netherlands. This is one of the main take aways from research conducted by IT security specialist Computest Security. Their security specialists have identified critical vulnerabilities in 30 percent of the tested applications. These require immediate attention because they pose a significant risk to the security, data privacy, or business continuity of organizations. They also found vulnerabilities in the authorization mechanism in nearly a third of the applications examined, potentially providing malicious actors unwanted access. The most common causes of these vulnerabilities are the use of outdated software that is no longer supported, failure to apply updates, and the absence of multi-factor authentication.

For the research titled 'The State of Application Security' by Computest Security, the results of over 300 security tests conducted on applications from various organizations over the course of a year were analyzed. This provides an overview of the main risks related to application security.

The anonymized analysis reveals that, on average, an application contains twelve vulnerabilities. Nearly a third of these vulnerabilities are considered important or even critical according to the internationally recognized CVSS scoring methodology. These vulnerabilities can have a significant impact on organizations and ideally should be addressed immediately.

Reality in practice is even worse

"It's important to note that the actual state of application security in practice may be even worse than our research results suggest. The organizations included in the anonymized study proactively requested a security test from us, demonstrating an awareness of the need for periodic testing," says Dennis de Hoog, CEO of Computest Security. "Therefore, the results may not necessarily reflect the average level of application security, and we expect the situation in practice to be worse than the figures in our report indicate."

Notably, in 32 percent of the tests, one of the most critical vulnerabilities found was cross-site scripting (XSS). This allows attackers to inject malicious code into the application, which is then executed when someone uses the application. This can lead to the theft of sensitive data or users being redirected to a malicious website without their knowledge. For this vulnerability, it was found that in almost 60 percent of cases, exploitation was possible without having an account for the application.

Authorization and authentication vulnerabilities

The security specialists found vulnerabilities in the authorization mechanism of nearly 30 percent of the applications. This means that proper checks are not in place to verify whether the logged-in employee has the right to use the requested functionality. In one out of ten tests, it was even possible to perform administrative tasks from a normal user account, potentially allowing the attacker to take over the entire application in certain cases. Furthermore, the security of authentication was inadequate in 34 percent of the tested applications. In 19 percent of the applications, multi-factor authentication (MFA) was either not implemented or not implemented correctly, making it easier for attackers to gain access using stolen credentials.

Outdated third-party software

The major causes of vulnerabilities include the use of outdated software, failure to apply necessary updates, and the absence of strong authentication solutions. The use of third-party components also poses a significant risk. For example, Computest Security's ethical hackers found vulnerabilities in such components in nearly 70 percent of the tests. Additionally, it was observed in 39 percent of the tests that the respective software was no longer supported with security updates.

Measures to mitigate risks

While completely preventing vulnerabilities is challenging, organizations can mitigate risks with the right measures. It starts with the development or procurement of software. Is it designed according to the 'secure by design' principle? By incorporating these principles into the purchasing, development, and integration of software, the risk of vulnerabilities can be reduced. Once the software is in use, it's advisable to regularly test it. This increases the likelihood of not only identifying vulnerabilities that have been present since the design phase but also detecting new vulnerabilities in a timely manner. Furthermore, having strong authentication tools and an update policy where updates are installed promptly upon availability is essential.

"Although we are daily confronted with the risks of cyber threats in the news, we see that too little action is being taken," says De Hoog. "The measures that can be taken are generally not rocket science but are not high on the agenda. Additionally, applications often receive less attention than internal or cloud networks, despite being just as much a part of the attack surface. As long as organizations are not affected by a security incident, there is little attention paid to it. However, once an incident occurs, the impact becomes immediately clear. Not only for the organization itself but also for the users of the application and sometimes third parties. Think of the misuse of data from applications for criminal purposes. This typically has significant consequences for the company and those directly and indirectly involved. Thus, an incident affects the entire chain."

---

• Download a summary and technical write-up detailing the technical aspects of our research 'State of Application Security 2024' or request these documents via info@computest.nl.