Web Application Security’s Lost Year

It’s been over a year now since everything shut down. As we enter into the second spring of the pandemic, organizations are able to better evaluate what worked and what didn’t as they unexpectedly transitioned to remote work. One area that suffered was web application security, according to a report by Invicti Security, which referred to 2020 as a “lost year.”

“In a year marked by a pandemic, organizations were forced to shift their focus to enable employees to work from home nearly overnight,” the report stated. “This necessary pivot came at the cost of web application security, where 2020 saw the first year of several in which the state of web app security did not improve, and in the case of some high-severity vulnerabilities, worsened.”

According to the study, the number of high-severity and medium-severity vulnerabilities steadily decreased at an average of 22% between 2016 and 2019. That trend came to a screeching halt thanks to COVID-19 and remote working. The reasons are simple: organizations had to redirect IT resources to handle the sudden WFH model and security models shifted to focus on endpoint security, using the funds that would have normally gone toward web application security.

These are issues that Jack Mannino, CEO at nVisium, witnessed firsthand. “Many teams are juggling reduced budgets and team capacity, while launching new products and keeping existing ones safe,” Mannino said in an email comment. “Prioritizing security fixes or features can stretch engineering teams thin when goals shift. Teams chasing noise or issues that don’t matter will fall behind quickly.”

Web Application Security More Critical Than Ever

Other findings from the report include:

  • An overall prevalence of high-severity vulnerabilities such as remote code execution, SQL injection, and cross-site scripting;
  • Medium-severity vulnerabilities such as denial-of-service, host header injection and directory listing, remained present in 63% of web apps in 2020;
  • Several high-severity vulnerabilities did not show improvement in 2020 despite being well understood, such as the incidence of remote code execution, which increased by one percentage point last year.

COVID-19 pushed organizations and consumers to an even greater reliance on web applications. As organizations depend on web applications – ranging from web conferencing and collaboration environments to e-commerce sites – to handle what were once in-person tasks, web application security has become even more critical than ever. And that’s what makes a lost year of web application security so troublesome.

Web attacks reached new highs during the pandemic, according to Interpol, and that puts the security of companies at greater risk.

“It’s very troubling to see this loss of momentum due to reduced attention to web application security,” said Invicti president and COO Mark Ralls in a formal statement. “As we look ahead, we hope to see organizations adopt best practices and invest in security, so that they can continue to advance their web security posture, protect their customers, and avoid being the next big security breach headline.”

It’s Not All Bad News

While many organizations were already embracing cloud-based infrastructure and services, the pandemic kicked those initiatives into hyperdrive, Hank Schless, senior manager, security solutions at Lookout, pointed out in an email interview. This was done to ensure continued productivity from anywhere and seamless access to internal resources across various platforms, cloud and on-premises infrastructure.

“In addition to delivering productivity through the cloud, teams also realized how necessary it was to have cloud-based security solutions in place,” said Schless. “Because of the complications associated with securing a mix of personal, corporate, managed and unmanaged devices, it became necessary to implement a zero-trust strategy across the board.”

While the lost year meant teams had to adjust their strategies, it also had the benefit of driving the security modernization that many organizations needed.

“Securing everything from the endpoint all the way to the cloud is the only way to stay ahead of today’s attacks,” said Schless. “This requires organizations to secure managed and unmanaged devices, create context-based access policies for users and devices and ensure secure access to cloud-based infrastructure and resources.”

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba