Errors that allow SQL injection and cross-site scripting attacks are still the top vulnerabilities that pen-testers find, especially at smaller companies. Credit: MaxKabakov / Getty Images Despite years topping vulnerability lists, SQL injection (also known as database injection) and cross-site scripting errors (XSS) remain the bane of security teams, according to a new report by a penetration-testing-as-a-service company.The report by BreachLock, based on 8,000 security tests performed in 2021, organizes its findings based on risk. Critical risk findings pose a very high threat to a company’s data. High risks could have a catastrophic effect on an organization’s operations, assets or individuals. Medium risks could have an adverse impact on operations, assets or individuals.More than a third of the critical risks found in web applications (35%) can be attributed to injection or data exposure, which the report noted is a matter of concern because of the number of applications being hosted on the internet is growing with the increase in digitalization among organizations. “Despite SQL injection being such a common vulnerability for years, I’m surprised to see it is still as common as it was in 2014, 2015. More than 27% of our critical findings are SQL injection findings,” says BreachLock Vice President of Products Prateek Bhajanka. Adoption of DevSecOps improving application securityEven more alarming, according to the report, is that more than 50% of the high-risk findings found in web apps could be pegged to cross-site scripting errors. The report explained that developers often take the “deny list” approach to data validation over the “allow list” approach, which leads to new data exploiting cross-site scripting vulnerabilities.Nevertheless, critical and high findings for web apps represent only 5% of all findings for the category. These data insights re-affirm that web application security, especially with the adoption of DevSecOps, is resulting in improved application security, the report claimed. When analyzing the infrastructure of organizations, BreachLock found a greater percentage of critical and high vulnerabilities in their internal infrastructure (more than 15%) compared to their external infrastructure (more than 9%). That indicates, the report noted, that organizations impose greater rigor in managing external-facing vulnerabilities than internal ones.The report cautioned that cyber threats don’t only come from external facing assets. Internal systems can be breached using phishing emails and stolen credentials to elevate privileges and move laterally within a network.Smaller organizations more vulnerableCritical and high findings were low in mobile apps, just over 7% for Android apps and close to 5% for iOS programs. Among the most common high and critical errors in mobile apps identified in the report were hard-coded credentials into apps. Using these credentials, attackers can gain access to sensitive information, the report explained. More than 75% of the errors found in APIs were in the low category. However, the report warns that low risk doesn’t equate to no risk. Threat actors don’t consider the severity of the findings before they exploit a vulnerability, it warned. Among the highest critical risks found in APIs were function-level controls missing (47.55%) and Log4Shell vulnerabilities (17.48%).Of all high and critical findings across companies, the report noted, 87% were found in organizations with fewer than 200 employees. The report identified several reasons for that, including cybersecurity being an afterthought in relatively small organizations; a dearth of bandwidth, security know-how, and staffing; a lack of security leadership and budget; and the speed of business overpowering the need of doing business securely.The report also analyzed average times for mitigating critical and high findings by business vertical, finding the highest times in the manufacturing (101 days) and healthcare sectors (95.56 days) and lowest times in the automotive (30 days) and professional services (33 days) sectors. Bhajanka hopes organizations will be able to use the findings in the report to improve their cybersecurity posture. “They will be able to see whether they are doing better than global peers in the industry or doing worse,” he observes. “If they’re doing worse, it should be an alarm for them.” Related content news Spam blocklist SORBS shuts down after over two decades The service was unsustainable but those in the email deliverability industry expressed mixed feelings about the closure. By Evan Schuman Jun 07, 2024 4 mins Email Security Antispam news analysis New RansomHub ransomware gang has ties to older Knight group File encryption malware used by RansomHub appears to be a modified variant of the Knight ransomware, also known as Cyclops. By Lucian Constantin Jun 07, 2024 4 mins Hacker Groups Ransomware Hacking feature Whitelisting explained: How it works and where it fits in a security program Whitelisting locks down computers so only approved applications can run. Is the security worth the administrative hassle? By Josh Fruhlinger and CSO Staff Jun 07, 2024 10 mins Email Security Application Security Data and Information Security interview How Amazon CISO Amy Herzog responds to cybersecurity challenges Amazon CISO for devices and advertising products and services describes how her team works with product and devops teams to ensure products are cybersecure. By David Strom Jun 07, 2024 5 mins Security Practices Vulnerabilities Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe