The Most Vulnerable Web Platforms
Recent years large companies are increasingly using a variety of web applications - the official sites of companies and enterprise resource planning (ERP), e-marketplaces, banking system, public services portals. Enterprise applications on the basis of specialized client software is increasingly replaced by web-based version and cloud services. The web applications are the most common target for hacker attacks, and it is considered to be one of the most uncovered segments of any organization.
Here you can read the summary of the recent research of Positive Technologies about web applications vulnerability.
The analysis includes 300 web applications: 40 systems for which in-depth analysis. The statistics include only data on the external web-based applications available from the Internet.
The test involved a web application owned by the companies that provide various sectors: e-commerce (30%), finance and banking (22%), industry (17%), information technology (15%) and telecommunications (13%).
Test applications were developed mainly on PHP (58%) and ASP.NET (25%). The most popular web server in the case this year was Nginx (37% of web-based applications), Apache (26%) and Microsoft IIS (24%).
68% of systems contain vulnerabilities of high risk. This indicator is higher than last year (62%). The previous research showed that for each web application had 15.6 vulnerabilities this year this number has arisen twice - to 29.9. Most of the identified vulnerabilities (89%) are caused by errors in code, and only 11% of the shortcomings related to the incorrect configuration of the web application.
Development tools Vulnerabilities
As well as last year, the most vulnerable applications are on PHP: 81% of systems written in this language, contain the critically dangerous vulnerabilities (last year it was 76%). But for ASP.NET based resourses this figure has decreased from 55 to 44%. Each Web application in PHP contains on average 11 critically dangerous vulnerabilities. For ASP.NET, this indicator was 8.4
86% of surveyed web application server running Nginx contain vulnerabilities of high risk level. The share of vulnerable resources on the basis of Microsoft IIS has decreased significantly compared to last year and amounted to 44% instead of 71%. The number of vulnerable sites under Apache has increased by 10% to 70%.
Vulnerabilities by industry
The leader in the number of systems with high-risk vulnerabilities is banking industry (89%). This may be due to the fact that most of the resources are not investigated DBS systems or other systems where the processed data on financial transactions, so the banks have paid less attention to the protection of data applications. A high percentage of web applications exposed to critically dangerous vulnerabilities observed for the telecommunications industry (80%), manufacturing industry (71%) and information technology (67%). The share of e-commerce systems with vulnerabilities of high risk level is also quite high - 42%.
This research shows that every web based application may have critical vulnerabilities. To avoid many critical problems one should not refuse full testing stage during development. So if you already have some of your app users reporting the problems or you just would like to make a step forward and run the needed tests to make sure that app will work fine - feel free to contact us to get our QA and dev team helping you out.
Archer Software has a long history of successfully implementing outsourcing solutions. You can see some of our case studies here. We can take care of routine projects like UI development, Business Logic layer and API updates, integration and updating hardware connectivity layers, technical documentation, and auto-test support. This lets your team focus on the research and science part of your projects, helping them complete their strategic plan faster and with much less “technical debt” in the project’s codebase.
For more information on how we can develop software that is right for you, please contact us at firstname.lastname@example.org.