XSS Flaws Most Common Over Past Nine Years
The volume of common web-based vulnerabilities found by a leading cybersecurity firm over the past nine years has refused to come down, highlighting a need for greater investment in secure coding practices and awareness.
Global information assurance firm NCC Group uncovered over 1100 vulnerabilities from more than 350 vendors of operating systems, hardware and networking services, and cloud and web services over a near decade-long period.
However, while some classes of vulnerability had virtually disappeared over the past nine years — including format string flaws, memory-related flaws and some vulnerabilities in XML applications and services — others stubbornly persisted, it claimed.
King among these is the cross-site scripting (XSS) flaw, which was the most common type overall, comprising 18% of all those found.
“Although there could be a lot of factors influencing the discovery of bugs over the past nine years — such as shifts in industry focus with regard to certain classes of bugs, and even the time that our consultants have available — there is still an ongoing prevalence of the most common vulnerabilities,” explained NCC Group research director, Matt Lewis.
“While some historically common vulnerabilities have disappeared over the last nine years, cross-site scripting has been around for almost 20 years. We should have seen a significant fall in these types of vulnerabilities, but this hasn’t been the case, which highlights the need for better education around security within the software development life cycle.”
Over the years, Lewis and his team have uncovered vulnerabilities in 53 categories and have also spotted an increase in the number targeting complex applications and hardware — including deserialization flaws and exploitation of multiple chained flaws across complex web apps.
“This highlights the need for more investment into security skills, as well as a wider understanding of how important the mitigation of these vulnerabilities is for the overall security of businesses,” said Lewis.
Source: Information Security Magazine