Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

26 Percent Acknowledge a Web Application Breach in 2019

DZone 's Guide to

26 Percent Acknowledge a Web Application Breach in 2019

A recent study found that 26 percent of organizations admitted to a confirmed or suspected web application breach over the past 12 months.

· Security Zone ·
Free Resource

Early this morning, news broke that 620 million account details stolen from hacked websites were up for sale on the dark web. The scale of the stolen account details is daunting. But the more interesting revelation about this news is that the adversary responsible for breaching the 16 sites in question noted his entry point: exploiting security vulnerabilities within web applications to gain remote-code execution and then extract user account data.

Web application breaches are a not new topic to us at Sonatype. It's an area of software development and cybersecurity hygiene that we have covered for several years. In fact, we just wrapped up the collection of responses from our 2019 DevSecOps Community Survey where we had asked the question: "have you experienced a web application breach in the past 12 months?"

While we'll be releasing a full set of findings on March 4th, we thought it imperative with today's news to share one of this year's survey responses: 26 percent of respondents (797 of 3104) said they either confirmed or suspected a web application breach within their organization over the past 12 months.

Let that begin to sink in: 1 in 4 organizations acknowledged breaches due to a security vulnerability in a web application. The same approach used by adversaries to breach 16 sites and gain access to 620 million account details also impacted 797 respondents from our 2019 survey.

We are not the only ones to see this pattern of successful breaches emerging. In December, Forrester Research released data showing that the leading cause of successful breaches stemmed from external attacks. Among those external attacks, web applications breaches topped the list of most successful breach points (36 percent).

What makes web applications more vulnerable to a breach than other forms of attack? First of all, web applications are publicly facing and are easy for adversaries to find. Then, one only needs to look so far as cybersecurity hygiene reports from the JavaScript community. JavaScript is one of the world's most popular programming languages used by web application developers to create dynamic and interactive web pages. To accelerate the composition of these applications, 6 million JavaScript developers around the world rely upon reusable sets of JavaScript code known as npm packages. Over 85 percent of a modern web application is composed from these npm packages.

Pair that perspective with data from an October 2018 report that revealed 51 percent of npm packages downloaded by web application developers had a known security vulnerability.

When empirical evidence shows that half of the components commonly used to build web pages from have a known security vulnerability, one has to ask if anyone is paying attention to what parts are being used to assemble today's software. In fact, researchers at Northeastern university did ask this question and shared their results in the report, Thou Shall Not Depend on Me. The researchers noted that "using data from over 133,000 websites, we show that 37 percent of them include at least one [npm package] with a known vulnerability.

This latest announcement is yet another example of how businesses electively put their customers' data at risk. As consumer awareness increases, they are likely to become much less tolerant of those companies who fail to implement proper security when they have the tools available to do so.

Topics:
security ,web application development ,devsecops ,news ,breach ,app security ,cybersecurity ,data breach

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}