Errors that allow SQL injection and cross-site scripting attacks are still the top vulnerabilities that pen-testers find, especially at smaller companies. Credit: MaxKabakov / Getty Images Despite years topping vulnerability lists, SQL injection (also known as database injection) and cross-site scripting errors (XSS) remain the bane of security teams, according to a new report by a penetration-testing-as-a-service company.The report by BreachLock, based on 8,000 security tests performed in 2021, organizes its findings based on risk. Critical risk findings pose a very high threat to a company’s data. High risks could have a catastrophic effect on an organization’s operations, assets or individuals. Medium risks could have an adverse impact on operations, assets or individuals.More than a third of the critical risks found in web applications (35%) can be attributed to injection or data exposure, which the report noted is a matter of concern because of the number of applications being hosted on the internet is growing with the increase in digitalization among organizations. “Despite SQL injection being such a common vulnerability for years, I’m surprised to see it is still as common as it was in 2014, 2015. More than 27% of our critical findings are SQL injection findings,” says BreachLock Vice President of Products Prateek Bhajanka. Adoption of DevSecOps improving application securityEven more alarming, according to the report, is that more than 50% of the high-risk findings found in web apps could be pegged to cross-site scripting errors. The report explained that developers often take the “deny list” approach to data validation over the “allow list” approach, which leads to new data exploiting cross-site scripting vulnerabilities.Nevertheless, critical and high findings for web apps represent only 5% of all findings for the category. These data insights re-affirm that web application security, especially with the adoption of DevSecOps, is resulting in improved application security, the report claimed. When analyzing the infrastructure of organizations, BreachLock found a greater percentage of critical and high vulnerabilities in their internal infrastructure (more than 15%) compared to their external infrastructure (more than 9%). That indicates, the report noted, that organizations impose greater rigor in managing external-facing vulnerabilities than internal ones.The report cautioned that cyber threats don’t only come from external facing assets. Internal systems can be breached using phishing emails and stolen credentials to elevate privileges and move laterally within a network.Smaller organizations more vulnerableCritical and high findings were low in mobile apps, just over 7% for Android apps and close to 5% for iOS programs. Among the most common high and critical errors in mobile apps identified in the report were hard-coded credentials into apps. Using these credentials, attackers can gain access to sensitive information, the report explained.More than 75% of the errors found in APIs were in the low category. However, the report warns that low risk doesn’t equate to no risk. Threat actors don’t consider the severity of the findings before they exploit a vulnerability, it warned. Among the highest critical risks found in APIs were function-level controls missing (47.55%) and Log4Shell vulnerabilities (17.48%).Of all high and critical findings across companies, the report noted, 87% were found in organizations with fewer than 200 employees. The report identified several reasons for that, including cybersecurity being an afterthought in relatively small organizations; a dearth of bandwidth, security know-how, and staffing; a lack of security leadership and budget; and the speed of business overpowering the need of doing business securely.The report also analyzed average times for mitigating critical and high findings by business vertical, finding the highest times in the manufacturing (101 days) and healthcare sectors (95.56 days) and lowest times in the automotive (30 days) and professional services (33 days) sectors. Bhajanka hopes organizations will be able to use the findings in the report to improve their cybersecurity posture. “They will be able to see whether they are doing better than global peers in the industry or doing worse,” he observes. “If they’re doing worse, it should be an alarm for them.” Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe