[DZone Research] Vulnerabilities/Attacks Developers Face

This article is part of the Key Research Findings from the 2018 DZone Guide to Security: Defending Your Code.

Introduction

Over the past 12 months, the IT industry has witnessed several large-scale attacks, such as the hacking of Equifax and instances of ransomware like NotPetya, and vulnerabilities exploited, like the infamous struts vulnerability that eventually led to the Equifax hack. But do the realities on the ground match the sensational headlines?

Threats: SQLi, Phishing, and DDoS

We asked our survey-takers what threats have most concerned their organization over the past year. Despite the flabbergastingly bad past year for cybersecurity, our respondents’ answers remained virtually identical to those reported in the 2017 DZone Security Survey. 52% reported phishing as their organization’s biggest concern, 46% said SQL injection (SQLi), 39% said DDoS, 36% reported ransomware, and 31% said cross-site scripting (XSS) attacks. Even when we compare this data to our two main developer verticals (web app and enterprise business app developers), the numbers regarding threats that concern their organizations don’t undergo any statistically significant changes.

Something interesting does pop out, however, when we compare the threats that most concern organizations and the types of vulnerabilities developers encounter most often. While most vulnerabilities our respondents reported encountering were not that surprising, such as authentication + session management (43%) and cross-site scripting (40%), unvalidated redirects + forwards were selected by a rather small number of respondents. Unvalidated redirects and forwards was the eighth most common vulnerability from the OWASP Top 10 faced by respondents, with 23% of survey-takers reporting to have had issues with this vulnerability. The low position of unvalidated redirects + forwards is surprising given the role this vulnerability plays in the spread of phishing attacks, which was the most prominent organizational security concern among our respondents. Unvalidated redirects + forwards are, in fact, the programmatic mechanism for driving users to a seemingly innocuous, but malicious site (Paul Ionescu, “The 10 Most Common Application Attacks in Action,” SecurityIntelligence by IBM). Thus, despite a low instance of phishing attacks over the past year, it seems organizations are bracing for this type of cyber attack to increase in frequency.

Given that 39% of respondents reported having faced issues with denial-of-service attacks, let’s quickly go over the data regarding this common type of attack. Having to deal with many high-resource connections proved by far the most common instance of DDoS attacks faced by survey takers, with 54% of respondents having faced this issue. The second most common DDoS faced was requests for large files (30%). No other form of DDoS attack registered more than 18% of respondents’ votes.

Conclusion: Vulnerabilities' Effects on Deployments

So, how do these attacks and vulnerabilities affect respondents’ ability to deploy their software? 43% reported that security analysis and vulnerability-fixing had a medium impact, 36% reported a low impact, and 13% reported a high impact. These numbers are, again, nearly identical to last year’s DZone Security Survey results. But, as we discussed in another article, security concerns do not always waylay deployments. 

This article is part of the Key Research Findings from the 2018 DZone Guide to Security: Defending Your Code.