Web applications leave companies vulnerable to breaches
Insecure and outdated web applications are a core source of high-profile data breaches among FT 500 global companies according to new research from web security company High-Tech Bridge.
The study reveals that abandoned, shadow and legacy web applications more or less nullify corporate cybersecurity spending and undermine compliance.
The research took the 1,000 largest global companies as per the Financial Times: FT US 500 and FT Europe 500 and High-Tech Bridge performed a large-scale discovery and non-intrusive assessment of their external web and mobile applications, SSL certificates, web software and unprotected cloud storage.
It found that the 500 largest US companies have 293,512 external systems accessible from the internet. 42,549 out of them have a live web application with a dynamic content and functionality. The 500 largest EU companies have 112,750 external systems accessible from the internet. 22,162 of them have a live web application with dynamic content and functionality.
This means a US company has an average of 86.5 applications that can be easily discovered externally and are not protected by 2FA, strong authentication or other security controls aimed to reduce application accessibility to untrusted parties. For an EU company, there are 46 such applications per company.
Among other findings are that less than 20 percent of discovered web servers in both the US and EU have an SSL/TLS configuration compliant with the most recent version of PCI DSS 3.2.1. Also less than three percent of web servers get an 'A' grade for properly implemented security hardening and configuration
"Concerns about cybersecurity skills shortage are growing even faster than global cybercrime," High-Tech Bridge's CEO and founder, Ilia Kolochenko says. "Security professionals are being increasingly overloaded with a great variety of tasks, often of a trivial or routine nature. Few companies have time and resources to build a thorough application security strategy, desultory spending on divergent solutions to get hacked at the end of the day. DevSecOps fails."
You can read more about the research on the High-Tech Bridge website, where there are also links to free assessment tools so you can check your own web-facing systems for vulnerabilities.