Web applications (web apps) are rapidly growing in both importance and complexity. As e-commerce becomes more popular, the availability and security of an organization’s web presence have a dramatic impact on its profitability.
While developers commonly perform security scanning against the code that they write in-house, this is only a fraction of the code contained within a web application. Heavy use of third-party code, including open-source libraries, adds new functionality but also introduces additional vulnerabilities.
For most organizations, who have limited visibility into the external code that their applications depend upon, a web application firewall (WAF) is the best choice for protecting their web applications against exploitation.
Code Reuse is Often “Best Practice”
When creating a new application, few, if any, developers write every line of code from scratch. The sheer complexity of any program requires the use of existing code to implement crucial functionality.
As a result, some level of code reuse is considered “best practice”. In fact, many of the core metrics by which an application developer is evaluated benefit from the reuse of existing code and external libraries.
In general, code reuse speeds development time and can improve the correctness and efficiency of the application. Most developers are not experts in every topic, so using code created by someone who speeds the development process and decreases the probability of costly errors.
Open Source Libraries Introduce New Attack Vectors
One of the main challenges in the use of external code is ensuring that the libraries and other sources of third-party code used by an application are, in fact, high quality. While some libraries are created by organizations with strong code review practices, others are not. As a result, the use of external code can sometimes create more problems than it solves.
In fact, the number of vulnerabilities in open-source libraries has grown significantly in recent years. In 2019, 968 new vulnerabilities were assigned a Common Vulnerabilities and Exposures (CVE) designation. This is more than twice as many as the 421 added in the previous year.
Many of these vulnerabilities exist in projects that are in widespread use. The projects with the highest number of new CVEs were Jenkins, an automation server commonly used for DevOps, and MySQL, a widely used database system, each of which had fifteen new vulnerabilities added last year. Other major projects with vulnerabilities actively exploited by cybercriminals include Elasticsearch, Kubernetes, and Magento.
Many of these projects are in common use within a number of organizations. If an application imports and uses vulnerable functionality from these projects, it inherits their vulnerabilities. Unless a development team patches these vulnerabilities, it can leave an organization vulnerable to attack.
Many Organization Lack Visibility Into Open-Source Dependencies
A core component of patching vulnerabilities in an application is knowledge of the existence of the vulnerability. However, many developers lack insight into the full array of third-party code that their applications depend upon.
Software composition analysis (SCA) is essential to identify the vulnerabilities that an application inherits from its dependencies. SCA involves scanning an application for open-source components that contain known vulnerabilities. However, 40% of developers never perform SCA or insist that they never use open-source code. This claim is in stark contrast to reports that find that 95% of applications include open-source dependencies.
However, even 60% of developers that do perform SCA scanning are not necessarily protected against exploitable vulnerabilities at the time of release. On average, a vulnerability in an open-source project takes 54 days to be added to the National Vulnerability Database (NVD) after being publicly disclosed.
In contrast, a cybercriminal can develop an exploit for vulnerability within a couple of weeks of public disclosure. This means that developers may continue using vulnerable code for a month after cybercriminals begin exploiting it before an entry in the NVD indicates that an update is necessary.
Whether the developers notice this or are aware that the new vulnerability impacts the security of their code depend on if and how frequently they perform SCA for their applications.
Securing Web Applications Against Exploitation
An organization’s web applications are a vital but vulnerable component of their digital attack surface. These applications often have access to and process sensitive and valuable customer data, making them a prime target for cybercriminals. The fact that they are exposed to the public Internet only serves to make them easier to attack.
A high percentage of these web applications are likely to contain exploitable vulnerabilities due to their use of open-source components. However, many developers do not perform the security testing required to identify and remediate these vulnerabilities. As a result, vulnerable components go unpatched, and the application remains vulnerable to exploitation.
As applications become more complex and the number of open-source vulnerabilities grows, this problem is only likely to get worse. Attempting to identify and individually patch every vulnerability in an organization’s web presence is an unscalable and potentially infeasible approach to security.
Taking advantage of the “virtual patching” functionality offered by a WAF provides a solution to this problem. A WAF can identify and block traffic attempting to exploit known vulnerabilities and is much faster and easier to update to be aware of the latest vulnerabilities than the applications that it protects.
Therefore, the gap between vulnerability disclosure and protection shrinks dramatically, shrinking the window in which a cybercriminal could exploit a vulnerable web application.