According to new findings by Context Information Security (www.contextis.com), Cross Site Scripting, Weak Authentication and TLS (Transport Layer Security) configuration still account for over 60% of high and critical vulnerabilities in web applications.
The research is based on 14,000 vulnerabilities identified and qualified from around 1,300 manually guided penetration tests. Over 12% – some 1,700 – of the findings were rated as high or critical impact, likely to result in unauthorised access or a compromise of user data or application functionality that could lead to financial or legal impact.
“These threats have been around for years, but it appears that the message is still not getting through,” said Andrew Scott, Assurance Regional Lead - Scotland at Context Information Security. “If an organisation were to focus on educating developers and their supply chain to prevent cross site scripting and authentication problems, while creating robust deployment processes for TLS, a large proportion of these problems could be avoided.”
“TLS issues often need addressing at the infrastructure layer and may not be under the control of developers,” said Andrew Scott. “Much like cross site scripting in the application space however, a very formulaic approach can be developed for each environment and can help address these problems.”