The number of flaws found in WordPress and its associated plugins has tripled since 2017, while the vulnerability of the Internet of Things has declined significantly, according to Imperva data.
The total number of vulnerabilities reported by researchers in web applications increased to 17,142 in 2018, rising by more than 21 percent compared to the previous year, partly due to the large number of web applications and application programming interfaces.
WordPress has the most reported vulnerabilities in the popular content management system (CMS), with 542.
WordPress has a large ecosystem that includes more than 54,000 plug-ins: according to Web security firm Imperva, which published its findings this week in a report, the same third-party plug-ins accounted for almost all— 98 percent — of the web security issues identified by researchers last year.
This popularity and extensibility makes WordPress popular with web developers and online attackers, says Nadav Avital, Threat Analytics Research Manager at Imperva. ” These make WordPress a lucrative asset that many hackers look at— any safety hole that they can find and exploit can lead to a mass infection, ” he said.
According to the National Vulnerability Database, after more than a decade of 5,000 to 8,000 annual reports, the number of publicly disclosed overall vulnerabilities (not only in web apps) increased significantly in 2017, increasing by more than 127 percent to 14,649 issues disclosed. Increases in the development of online applications, the use of open source components and more rigorous safety tests are probably all factors contributing to the increase.
“The overall number of vulnerabilities is expected to increase year after year,” says Imperva ‘s Avital. ” Every year there are more products— new and legacy — to check and more sophisticated tools to check them.
“According to the NVD, the total number of vulnerabilities reported continued to increase in 2018 by almost 13 percent to over 16,500. Other organizations that track more specific security classes have seen similar increases: according to the software security firm WhiteSource Software, the number of vulnerabilities in open-source components has increased by 51 percent to more than 3,200 documented issues.
“We certainly see a great deal of growth in the number of vulnerabilities associated with modern applications, “said David Habusha, WhiteSource Product Vice President. “Attackers focus on front-end web servers, content management platforms and the Internet of Things.
“While WordPress had more than 500 vulnerabilities, Drupal, another content management system, had two of the most vulnerabilities attacked, Imperva found. However, in terms of vulnerability classes, problems that allow commands to run through another application— often referred to as injection attacks— report 3,294 flaws.
Execution of remote commands accounted for the largest share of vulnerabilities with 1,980. While web applications seem increasingly targeted, another major focus of vulnerability research— the Internet of Things— seemed to be good in 2018, according to the Imperva report.
In three years, the number of vulnerabilities in IoT devices and software has fallen to their lowest level. Imperva ‘s Avital says that the growing interest in developing safety standards and best practices has probably led vendors to invest more in security. “Although fewer vulnerabilities in IoT products have been identified, it does not mean that IoT is safe from cyber attackers,” he says.
“While new IoT products may be safer, many IoT vendors still do not push security updates and if they do, it is unclear how to update or even deploy them, as some devices cannot be taken offline. ”
Companies need to automate both their vulnerability scanning and use agile methodologies to solve security problems as early as possible during the software development cycle. ” I think we are still at the point of saturation, where organizations focus much more on detecting vulnerabilities over remediation od vulnerabilities, “says Cornell.
“People still test a lot, but they still do not fix enough. “To fix vulnerabilities and reduce the number of problems in production, code-checking software can help developers play a bigger role in securing the software as it is written.