Application security is critical for organizations as attacks increasingly target business data exposed by services handling sensitive data. Organizations must focus on detecting attacks and protecting their applications while rolling out remediation efforts. With over 25,000 vulnerabilities identified in 2022 alone and complex open-source libraries, prioritization is an essential security concern.
In a recentĀ Datadog study, 2023 State of Application Security Report. The company analyzed data from 1000’s of organizations using theirĀ ASM and APM to provide application security insights.
Prioritizing Only 3% of Critical Vulnerabilities
Using runtime context to adjust Common Vulnerability Scoring System (CVSS) scores, only 3% of critical vulnerabilities are worth prioritizing. These vulnerabilities are detected in a service that hasn’t been attacked in the last 30 days.
Risk Increases with Third-Party Dependencies
For Java, Node.js, and Python services, the risk grows with the number of third-party dependencies. However, this trend does not hold for .NET services. This is possibly due to factors like the .NET standard library or less security research attention.
Java Services Present the Highest Risk
Java has the highest median service risk score, followed by .NET, Node.js, and Python. Factors like low-level primitives access, reflection, and OGNL usage in Java and .NET could contribute to higher CVSS scores.
Vulnerabilities from the ’90s Still Affect Organizations
SQL injection and server-side request forgery (SSRF) vulnerabilities discovered over 20 years ago still impact modern web applications. Over the last year, 5% had at least one exploitable SQL injection vulnerability, while 2% had an exploitable SSRF vulnerability.
Three-Quarters of Attacks Are Mistargeted
74% of attacks are mistargeted and would not succeed based on runtime context. Security teams need to qualify attacks to focus on the important ones that require attention.
PHP Is the Top Target of Language-Specific Attacks
68% of language-specific attacks targeted PHP applications, followed by 30% targeting Java and 2% targeting JavaScript. PHP’s popularity makes it an attractive target for attackers.
Non-Production Environments Face 11% of Attacks
At least 11% of attacks target non-production environments, opening up the possibility of supply chain attacks. Companies should pay attention to all systems across every application lifecycle stage.
What does this mean for WordPress?
- Security vulnerabilities in PHP: Since WordPress is built on PHP, it is susceptible to the security vulnerabilities associated with the language. As PHP is the top target of language-specific attacks, WordPress sites must be vigilant about securing their installations.
- Third-party plugins and themes: WordPress relies heavily on third-party plugins and themes, which can introduce vulnerabilities. As the risk increases with the number of third-party dependencies, it is crucial for WordPress site owners to carefully evaluate the security of plugins and themes before using them and to keep them updated.
- The continued prevalence of older vulnerabilities: WordPress sites can still be affected by older vulnerabilities like SQL injection if they are not adequately secured. Site owners should stay informed about the latest security threats and implement proper security measures to protect their websites.
- Importance of securing non-production environments: Since non-production environments face 11% of attacks, WordPress site owners must secure their development, staging, and testing environments. This can help prevent supply chain attacks and protect sensitive data used during testing.
WordPress site owners should prioritize security by keeping their core software, plugins, and themes up-to-date, implementing best practices for securing their installations, and maintaining a strong focus on the security of both production and non-production environments.
In conclusion, application security is critical for organizations as attacks become more sophisticated and increasingly target business logic and sensitive data. Prioritizing vulnerabilities, understanding the risks associated with third-party dependencies, and securing all environments throughout the application lifecycle are essential to maintaining a solid security posture.
The insights provided in this study emphasize the importance of context in assessing vulnerability severity, the need to manage third-party dependencies carefully, and the ongoing threat posed by older vulnerabilities. Furthermore, organizations should know the risks associated with different programming languages and platforms, such as PHP and WordPress.
By staying informed about the latest security threats, implementing best practices, and leveraging tools like Datadog Application Security Management (ASM) and Application Performance Monitoring (APM), organizations can effectively manage their application security, protect their sensitive data, and mitigate potential risks.