We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
“Every company is now a software company” is arguably a truer claim today than it was 16 months ago, due to pandemic-driven digital transformation efforts. But this shift has also opened the door to countless hacks, breaches, and cyberattacks.
To make sense of it all, analysts, corporations, and other industry organizations have published studies on the current state of software security. A recent Canalys report found more data breaches in 2020 than in the previous 15 years combined, while Synopsys concluded that 84% of codebases contain at least one open source vulnerability. CrowdStrike yesterday released its 2021 Global Threat Report, noting that 2020 was “perhaps the most active year in memory” for cyberattacks.
While these reports highlight some of the problems facing software security in 2021, their varying perspectives, methodologies, and inherent biases make drawing meaningful conclusions a challenge. Cybersecurity giant F5 and research and data science firm Cyentia Institute aim to tackle this problem with The State of the State of Application Exploits in Security Incidents report, a multi-source analysis that aggregates findings from prominent industry reports to arrive at a more holistic view of the current state of application security.
The goal is to identify consensus while highlighting the inherent challenges of carrying out multi-source analysis for anyone wishing to produce a similar report in the future.
Researchers from the Cyentia Institute said they initially reviewed more than 100 published reports spanning web application attacks and vulnerabilities, general incidents and breaches, and “extreme loss” cyber events. But they only used a subset of these in the final analysis. Sources included Verizon’s Data Breach Investigations Report (DBIR), Trustwave’s 2020 Global Security Report, Veracode’s State of Software Security, Cisco Talos’ Incident Response trends from Winter 2020-21, Crowdstrike’s 2020 Global Threat Report, and Cyentia’s own Information Risk Insights Study 20/20 “Extreme Edition” report (IRIS Xtreme), among others.
Cyentia’s IRIS Xtreme report analyzed the 100 largest cyber loss events of the past five years, which collectively amounted to $18 billion in financial losses and 10 billion records compromised. Web app attacks came in third place in terms of frequency. Verizon’s DBIR, meanwhile, is an annual report spanning tens of thousands of security incidents. The company’s 2021 report found nearly 5,000 incidents that would fall under web application security, putting the issue second in terms of frequency.
While comparing the exact numbers from security reports reveals notable differences, combining data and findings in this way helps paint a broader picture and arrive at what F5 calls a “so-so” agreement.
“All these data sources and statistics range widely in terms of scope, methods, quality, etc., making it a real challenge to synthesize findings across them,” F5 wrote in a post today. “But there’s ‘so-so’ agreement among them that web application security is a really big deal among really big incidents.”
These so-so agreements extend into the specifics of cybersecurity vulnerabilities. The various reports came to largely different conclusions in terms of the most common types of web application vulnerabilities and attacks, but F5 and Cyentia reported “at least ‘so-so’ agreement among them that [SQL] injection attacks and cross-site scripting rank highest.”
The report also found 56% of the largest incidents in the past five years related to a web app security issue, which represents 42% of all financial losses for extreme loss cybersecurity events. Moreover, the average time to discovery for web application exploits was 254 days, “significantly higher than the 71-day average among other extreme loss events” identified in studies.
And although we probably knew this already, based on recent high-profile breaches, state-affiliated actors were responsible for “57% of all reported financial losses for the largest web application incidents” in the past five years.
The report clearly demonstrates the obstacles to establishing consensus among diverse reports that use different methodologies. All the researchers and report authors “approach their subject matter with different definitions and assumptions,” Cyentia’s conclusion reads. “Some are focused on incidents as the most intelligible level on which to examine security. Some focus on attacker motivation, or on tactics, techniques, and procedures (TTPs). Some focus on vulnerability types.”
But if nothing else, the report serves as a reminder that companies need to protect their web apps. As Cyentia notes: “Fix your code, patch your systems, double-up your creds, watch your back(door).”
The State of the State of Application Exploits in Security Incidents report is available for anyone to read now.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.