Errors that allow SQL injection and cross-site scripting attacks are still the top vulnerabilities that pen-testers find, especially at smaller companies. Credit: MaxKabakov / Getty Images Despite years topping vulnerability lists, SQL injection (also known as database injection) and cross-site scripting errors (XSS) remain the bane of security teams, according to a new report by a penetration-testing-as-a-service company.The report by BreachLock, based on 8,000 security tests performed in 2021, organizes its findings based on risk. Critical risk findings pose a very high threat to a company’s data. High risks could have a catastrophic effect on an organization’s operations, assets or individuals. Medium risks could have an adverse impact on operations, assets or individuals.More than a third of the critical risks found in web applications (35%) can be attributed to injection or data exposure, which the report noted is a matter of concern because of the number of applications being hosted on the internet is growing with the increase in digitalization among organizations.“Despite SQL injection being such a common vulnerability for years, I’m surprised to see it is still as common as it was in 2014, 2015. More than 27% of our critical findings are SQL injection findings,” says BreachLock Vice President of Products Prateek Bhajanka. Adoption of DevSecOps improving application securityEven more alarming, according to the report, is that more than 50% of the high-risk findings found in web apps could be pegged to cross-site scripting errors. The report explained that developers often take the “deny list” approach to data validation over the “allow list” approach, which leads to new data exploiting cross-site scripting vulnerabilities.Nevertheless, critical and high findings for web apps represent only 5% of all findings for the category. These data insights re-affirm that web application security, especially with the adoption of DevSecOps, is resulting in improved application security, the report claimed. When analyzing the infrastructure of organizations, BreachLock found a greater percentage of critical and high vulnerabilities in their internal infrastructure (more than 15%) compared to their external infrastructure (more than 9%). That indicates, the report noted, that organizations impose greater rigor in managing external-facing vulnerabilities than internal ones.The report cautioned that cyber threats don’t only come from external facing assets. Internal systems can be breached using phishing emails and stolen credentials to elevate privileges and move laterally within a network.Smaller organizations more vulnerableCritical and high findings were low in mobile apps, just over 7% for Android apps and close to 5% for iOS programs. Among the most common high and critical errors in mobile apps identified in the report were hard-coded credentials into apps. Using these credentials, attackers can gain access to sensitive information, the report explained.More than 75% of the errors found in APIs were in the low category. However, the report warns that low risk doesn’t equate to no risk. Threat actors don’t consider the severity of the findings before they exploit a vulnerability, it warned. Among the highest critical risks found in APIs were function-level controls missing (47.55%) and Log4Shell vulnerabilities (17.48%).Of all high and critical findings across companies, the report noted, 87% were found in organizations with fewer than 200 employees. The report identified several reasons for that, including cybersecurity being an afterthought in relatively small organizations; a dearth of bandwidth, security know-how, and staffing; a lack of security leadership and budget; and the speed of business overpowering the need of doing business securely.The report also analyzed average times for mitigating critical and high findings by business vertical, finding the highest times in the manufacturing (101 days) and healthcare sectors (95.56 days) and lowest times in the automotive (30 days) and professional services (33 days) sectors. Bhajanka hopes organizations will be able to use the findings in the report to improve their cybersecurity posture. “They will be able to see whether they are doing better than global peers in the industry or doing worse,” he observes. “If they’re doing worse, it should be an alarm for them.” Related content news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe