Websites Have 3.2 Critical Application Vulnerabilities on Average

by Timothy Chiu, VP of Marketing on August 27, 2020

According to a recent report from WhiteHat Security, the average website had 3.2 critical application vulnerabilities, a number that has remained unchanged over the last three years. The report also broke down the number of critical application vulnerabilities by industry. The results for the IT industry were particularly interesting. According to the report,

“IT is one of the worst offenders when it comes to the sheer volume of vulnerabilities. One possibility could be based on its lack of regulation as compared to well-regulated industries like finance or healthcare.”

Critical application vulnerabilities like the ones featured on the OWASP Top 10 list of web application risks (which has been around since 2003 and updated every 2 years since) are typical of the critical vulnerabilities found on websites. These vulnerabilities are the bane of application developers, testers, and IT security personnel, even now, over a decade since the publication of the first OWASP Top 10 list.

A great start for protection against critical application vulnerabilities like SQL Injection, XSS and RCE attacks is using runtime application security. The latest draft version of the NIST Framework for SP 800-53 now includes RASP (Runtime Application Self Protection), as a requirement for an organization’s security framework. By having security that’s close to the application, you get greater visibility and understanding of when an attack is happening, and better tools to control the attack. Traditional security tools like Web Application Firewalls (WAFs), sit on the network perimeter, and can miss nuanced and sophisticated attacks.

K2’s runtime deterministic application security platform monitors the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including Injection attacks.

In addition to providing runtime application security, K2 can also help with faster vulnerability remediation in your web application code during your penetration testing cycle. The K2 agent is deployed on the pen testing/QA server and no change in testing methodology or setup is required. K2 works in conjunction with your existing scanning tools or pen testing tools. K2 creates a vulnerability report at the end of the testing cycle detailing additional telemetry on the vulnerability including which file and line number in the code has the vulnerability. K2 can also find additional vulnerabilities in the application that the testing tools may have missed.

K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.

Change how you develop and protect your applications.