Recently Acunetix provided some aggregated data from over 15,000 security scans performed over the past 12 months. The security stance of many sites still need a lot of work and web application attack surfaces are far too broad in aggregate.
A few key findings that marketing technologists would do well to take note of include the following:
- Nearly half of the web applications scanned contained a high security vulnerability such as Cross-site scripting (XSS) or SQL Injection.
XSS is found in Web applications and allows attackers to inject client-side script into Web pages being viewed by others. SQL Injection allows an attacker to use malicious SQL statements to execute code remotely and compromise databases in numerous ways. Downloading raw data or changing data are two of many possibilities.
- Many scans found that the main superbugs of 2014 had not been patched.
These superbugs include Heartbleed, Shellshock and POODLE. If you remember Heartbleed, Robert McMillan of Wired called it the bug that “Broke the Internet”. Of course 2015 hasn’t been a slouch when it comes to security issues… GHOST, FREAK and HTTP.sys are not our friends.
- 38% of the applications scanned had a vulnerability that can lead to a Denial of Service (DoS) attack.
DoS can fundamentally cripple online operations. A slow HTTP DoS Attack like Slowloris attempts to make multiple requests to the server to occupy all available HTTP requests. This means users can’t access your site even if the infrastructure is “up”.
- WordPress is a common Content Management System platform and thus a large target for attacks… 11 distinct WordPress vulnerabilities were discovered.
Being popular makes you a target. Many people don’t update their WordPress themes and plugins or have any security protocols in place. Many of the attacks on WordPress were as a result of native, out of the box functionality (username enumeration for example). Others were just because of bad security practices like weak passwords or not keeping the platform upgraded.