Some of the Most Common Security Vulnerabilities and Fixes

A vulnerability in Microsoft’s Exchange Server contributed to a large series of cyberattacks affecting over 60,000 private companies in the US. And just one month earlier, an aerospace company, Bombardier, had its employees’ and suppliers’ data breached due to weaknesses in its third-party file transfer app.

There are many security vulnerability types that can put your IT system on hackers’ radar. From poor coding practices to defective external components, no matter what the reason is, many companies end up being exposed. To mitigate this issue, businesses benefit from QA and testing services to evaluate their own software and networks and assess the security risks of external vendor components.

So, which security vulnerability types may be exposing your system to cyberthreats at this very moment? How do vulnerabilities appear? And how can we mitigate them?

What is a software vulnerability, and where does it originate from?

A security vulnerability is an unintended system or component characteristic that magnifies the risk of an intrusion or data loss, either by accidental exposure, intentional attack, or conflicts with new components. Such a vulnerability can be a design flaw, an implementation bug, a misconfiguration, etc.

Before we proceed any further, let’s clarify the difference between a vulnerability, an exploit, and a threat.

• A vulnerability exists in the system without any efforts from outsiders

• An exploit is a way that intruders use an existing system weakness to mount an attack

• A threat is an actual incident when one or multiple exploits use a vulnerability to penetrate a system

  
  

Security experts can eliminate vulnerabilities upon discovery using software patches, hardware replacement, and system reconfiguration. Training the end-users on security practices and keeping all components up to date will also prevent and minimize vulnerabilities. Additionally, the security teams need to keep in mind that as systems evolve, new weaknesses appear. Therefore, businesses need to scan their software, hardware, and networks systematically for emerging vulnerabilities and fix them before they are discovered and exploited.

New security vulnerabilities keep emerging rapidly, as the US government’s National Vulnerability Database (NVD) published over 8,000 new entries in the first quarter of 2022. With this rapid pace, many businesses can’t keep up and leave open weaknesses for years, exposing their systems. A study of software vulnerabilities revealed that 75% of the attacks mounted in 2020 exploited exposures that were at least two years old, while 18% relied on weaknesses reported back in 2013!

How do security vulnerabilities get into software and networks?

According to research, 75% of applications developed by software vendors don’t comply with the Open Web Application Security Project (OWASP) Top 10 standards. These standards are publicly available. So, why are so many still failing to produce a safe application? Here are the main reasons:

• Vulnerable third-party code and other components. It’s a common practice to reuse third-party components, as this speeds up the development process significantly. However, users tend to take the security of these parts lightly, and often deploy them without thorough evaluation. The same applies to copy-pasting code from sources, such as Stack Overflow, without assessing its safety.
• Insecure coding practices. Recent studies show that security is not even on the radar for most developers. In an experiment exploring the attitude of 1,200 developers, researchers concluded that only 14% view security as a priority when writing code. Also, note that many organizations demand their developers to produce code fast under tight deadlines, which simply doesn’t leave room for thorough security evaluation and results in code vulnerabilities.
• Rapidly changing cyberattack landscape. Attackers are constantly discovering new ways to breach applications’ security. So, parts that were considered immune before can become vulnerable today. If the IT team doesn’t systematically assess applications and networks for vulnerabilities, and doesn’t keep all software up to date, it’s just a matter of time until weaknesses start emerging.

Security vulnerability types classification

There are two platforms, OWASP and CWE, that offer a reliable and detailed security vulnerabilities list. They update their listings to include any emerging weaknesses. Both resources can be used to educate programmers, testers, and engineers.

OWASP is a non-profit global community, and it regularly publishes OWASP top 10 software vulnerabilities list. Common Weakness Enumeration (CWE) is a composition of software and hardware vulnerabilities also developed by a dedicated community, and it includes 25 entries.

Here are 18 of the most prominent security vulnerabilities that we want to highlight in this article, sorted by domain. These can manifest themselves in any IT system, such as the cloud, IoT-based configurations, and mobile apps.

1. Lack of strong encryption practices Even though encryption would not stop a cyberattack, it is essential to ensure that sensitive data remains safe even if its storage platform is breached. Attackers can’t misuse encrypted data until they decode it, which gives the violated business time to take the necessary measures, such as notifying the impacted parties and preparing identity theft countermeasures.

Research shows that many companies have no immediate plans of encrypting data on USB sticks, laptops, and desktops. And speaking of data protection regulations, GDPR doesn’t explicitly require encryption but describes it as “appropriate technical and organizational measures” for data safety.

In its Cost of a Data Breach report, IBM pointed out that encryption is one of the most impactful factors that can reduce the average cost of data breaches.

2. Sensitive data exposure

   
   

Data can be exposed due to human error when a negligent employee uploads it to a public database or a website. But this security vulnerability type can also be supported by internal processes that actually allow an unauthorized employee to gain access to and manipulate sensitive data.

Egress, a cybersecurity firm, conducted a survey uncovering that 83% of US organizations have accidentally exposed sensitive data through email, file sharing, collaboration software, and messaging apps.

3. Insufficient transport layer protection

This type of vulnerability deals with information exchange between the client and the server application. Such information can contain sensitive data, including user credentials and credit card details. When data transportation is not secured, the communication can be intercepted, and attackers can gain access to the data and decipher the encryption if weak algorithms are used.

4. Misconfigured system components and risky interactions

Incorrectly configuring components and interactions between them is another security issue that we often encounter. For instance, while setting up an IT system, the administrator forgets to override the manufacturer’s default settings and disable directory listings, leaving the system exposed. Another example is forgetting to restrict access to outside devices.

Speaking of interactions, it is advisable for applications to adopt a zero-trust approach and view every input as risky before it is verified and proven to be legitimate. This will help avoid attacks, such as cross-site scripting, where attackers infuse an application with untrusted data.

This aspect is particularly relevant to cloud-based solutions. One research reported that server misconfigurations contributed to 200 cloud breaches in two years. Another study shows that around 70% of cloud security breaches start with faulty architecture. As an example, a misconfigured AWS storage bucket exposed 750,000 birth certificate applications in the US in 2019.

5. Weak server-side control

This security vulnerability type stands for everything that can go wrong on the server-side, from poor authentication to security misconfigurations that enable attacks, such as cross-site request forgery where some user’s browser issues unauthorized actions to the server without that user’s knowledge.

For instance, a misconfiguration in a database server can result in data becoming accessible through a basic web search. And if it contains admin credentials, then intruders can gain access to the rest of the system.

6. Remote code execution

This means that software security vulnerabilities presented by your system enable intruders to execute malicious code over the internet on your devices. For example, when an employee clicks on an email link on a third-party website, the hacker behind this setup injects the victim’s computer with malware and assumes control from there. The outsider can access sensitive data or lock the machine and demand ransom.

7. Known OS-based vulnerabilities

Every operating system has its list of software vulnerabilities. Some lists are published online for everyone to see. For example, here is the list of top 10 Windows 10 OS weaknesses, and here is the corresponding listing for OS X. It is up to security teams to review these points and address them to minimize the openings for attacks.

8. Running scripts without virus check

This is a common security vulnerability type that is present in certain web browsers. For instance, Safari allows running “trusted” scripts without explicit user permission. Hackers tend to exploit this weakness by attempting to run a malicious piece of code that can be confused with a “safe” script. Luckily, it’s often possible to disable this “feature.”

9. Weak credentialing

Intruders can gain access by brute-forcing users’ credentials. This is especially easy when the password “123456” alone is used by over 23 million people. This is in addition to passwords, such as “admin”, “password”, and “qwerty”, which are also common and rather easy to hack.

This type of software vulnerability is regarded as human-made, but businesses can implement measures that would force employees to choose stronger options and change their credentials often enough. This is crucial, given the role that weak credentialing plays in system security. Statistics show that 80% of security breaches were enabled by weak passwords and that 61% of users tend to utilize one security phrase for multiple services.

10. Using components with known vulnerabilities

Deploying third-party components, such as libraries, APIs, datasets, and frameworks, can significantly reduce the effort required to have your system up and running. But it can also introduce vulnerabilities. It’s important to remain diligent and evaluate these components to make sure they don’t leave any backdoors open to access sensitive data.

Even downloading and using third-party images could be dangerous. In 2021, 30 Docker Hub images with a download volume of 20 million, were deployed to spread crypto mining malware.

11. Insecure design

    
    

    This is a relatively new security vulnerability type that appeared on OWASP in 2021. The organization calls for secure design patterns, threat modeling, and reference architecture to eliminate weaknesses from the very beginning.

    
    

    Secure design is a methodology that constantly evaluates threats and ensures the code’s robustness. It encourages systematic testing against known attack methods. It views security as an essential part of software development, not as an add-on or a nice-to-have feature.

    
    

12. Security bugs in APIs

    
    

    Application programming interfaces (APIs) allow software components to interact with each other, which is an essential part of an IT system. However, APIs with weak security measures can open multiple loopholes, such as broken authentication and permit code injection, and other malicious practices.

    
    

    For instance, a recklessly built API, which relies on the client-side to filter information before presenting it to users, can expose data, making it available for grabs. Sensitive data must be filtered at the server-side. Here’s another example of this security vulnerability type: if an API doesn’t restrict the number of incoming requests, it can open the opportunity for Denial of Services (DoS) attacks.

    
    

    Here is the OWASP list of the top 10 API-related security vulnerabilities for your consideration. Insecure APIs opened the door to many attacks in the past years. One infamous example comes from LinkedIn, as a malicious actor used the platform’s authentication-free API to download data of 700 million users. Using a similar API breach, an intruder retrieved information on 1.3 million Clubhouse users and published it on a hacker forum.

    
    

13. Inadequate authentication

    
    

    Weak authentication measures allow hackers to exploit the “forgot password” option to reset accounts or initiate an account takeover attack. It helps the intruder when the authentication question is something like the user’s birthdate or pet name, as this is publicly available information thanks to social media. Following a multi-factor authentication process will increase security. Sadly, research shows that only 26% of the US companies use this strong authentication method.

    
    

14. Insufficient monitoring and logs

    
    

    Logs store data on system events, network activities, and user actions. By monitoring logs, security teams can observe all the activities that took place recently and identify suspicious events. If logs are not reviewed systematically, this creates an information gap where software vulnerabilities and malicious activities remain undetected.

    
    

15. Superuser privileges

    
    

    The fewer data a user can access, the less damage their account can do if compromised. However, some businesses still negligently grant superuser privileges left and right and fail to restrict employees’ access to what they need to fulfill their everyday duties. If an intruder takes hold of an admin-level account, they can disable anti-virus software and firewall, install harmful apps, take ownership of files, etc.

    
    

    According to research, 74% of data breaches start with abusing privileged credentials.

    
    

16. Outdated software

    
    

    Most businesses realize that a timely software update is a key to a secure system. However, it seems like only a few actually follow this practice. Cybernews reports on a recent study that investigates software update frequency. This research was conducted over an 18 months period, and it discovered that 95% of the websites examined actually run on outdated software with known vulnerabilities. The research team also discovered that an average software product is typically four years behind its latest patch.

    
    

    Moreover, Kaspersky determined that companies running outdated software are likely to incur 47% more costs in case of a breach.

    
    

    To give an example, the Marriott hotel chain had 500 million data records compromised in a security breach that resulted from unpatched software.

    
    

17. Vulnerabilities in source code

    
    

    These code vulnerabilities creep in during software development. For example, a program might transmit sensitive data without encryption or use a randomized string, which is not actually random. Such errors are often caught during the software testing phase.

    
    

    According to a recent Secure Code Warrior Survey, 86% of the participating developers admitted that they don’t view application security as a top priority when writing a code, with 36% attributing this to tight deadlines. The survey also revealed that 33% of the respondents don’t even understand what makes their code vulnerable.

    
    

18. SQL injection

    
    

    This security vulnerability type is relevant to websites and applications powered by Structured Query Language (SQL). It allows the attacker to alter user-supplied SQL statements and trick the interpreter to execute unintended commands and grant access to the database. This way, intruders can manipulate sensitive data by replacing/deleting/modifying sensitive fields.

    
    

    This is a rather old vulnerability that accounted for over 65% of attacks on software apps already back in 2019.

System-specific Security vulnerability types, and how to prevent these software vulnerabilities

After highlighting common security vulnerabilities, let’s move to application and system-specific weaknesses and figure out how to protect your systems from them.

The Cloud

There is an extensive list of possible security vulnerability types in the cloud, independently of whether it’s Azure, AWS, GCP, or any other cloud provider. Our cloud expert, Alexey Zhadov, divides these vulnerabilities by layers and gives tips on how to prevent them.

System layer vulnerabilities

Whatever cloud service your software is running on, there is always an operating system under the hood. Even if you can only access a control panel for your resource. Every operating system has its “holes” and “backdoors”. OS developers constantly look for these weaknesses, trying to cover the bases. That’s why it is important to keep your software up to date and be in touch with the latest developments in the cybersecurity field on known issues.

Network layer vulnerabilities

Every cloud resource is running on a cloud network. And with this comes the possibility to connect to the resource externally. The security team needs to ensure that network configuration is adequate. Never open ports that you are not planning to deploy, use whitelisting of IPs that you know and networks that are expected to connect to your solution. Be cautious about opening the direct connections to RDP/SSH ports from anywhere other than known IPs.

Configuration layer vulnerabilities

The cloud must be properly configured according to the user’s requirements and goals, and this configuration must be always maintained up to date. Set up configuration management policies and procedures, and monitor any suspicious activities.

Human factor vulnerabilities

Don’t forget about end-users and administrators that have access to the cloud solution. Account hijacking is one of the most common weaknesses in any IT system. If an intruder gains access to someone’s account credentials, they can freely enter and manipulate the system within the account’s rights, and no one will stop them until receiving a notification from the hacked user. Here is the list of the most common types of security vulnerabilities in cloud applications:

• Misconfigured networks and firewalls
• Misconfigured cloud storage
• Insecure APIs
• Poor access management
• Account hijacking
• Malicious insiders
• System vulnerabilities
• Shared tenancy vulnerabilities
• Lack of multifactor authentication for users and devices that want to join the network

Alexey recommends a few simple rules that companies can implement to protect their cloud systems:

• Keep operating systems up to date
• Protect your networks
  • Use bastion servers to access your closed perimeter
  • Configure Network Security Groups and Access Control Lists
  • Restrict access to unnecessary ports
• Configure monitoring and logging when possible
• Implement multi-factor access control for all users
• Use firewalls and DDoS protection
• Use cloud tools to check compliance with security standards, such as Azure Security Center

Web Applications

Alexey also weighed in on software security issues haunting web applications. By exploiting these vulnerabilities, attackers can cause severe damage to the application and the organization as a whole. Here are the most common web app attacks resulting from web app security vulnerabilities:

• SQL injection
• Cross site scripting
• Path traversal
• Remote command execution

If cybercriminals launch these attacks successfully, they can plant malware, compromise user accounts, access restricted information, and more. So, how to test software for vulnerabilities? Alexey recommends conducting web application security testing to assess the following parameters:

• Input validation. How can the application process input, and can it spot and block any malicious entries?
• Server configuration. Does it use a strong encryption method?
• Authentication management. Which types of authorization are enforced? Can users opt for weak passwords?
• Authorization options. Can the app protect itself against privilege escalations?
• Business logic. Can users insert invalid data? Can they skip authentication steps? Is it possible for users to damage the integrity of the app and its data?

Mobile Applications

When speaking of mobile app security, we can’t disregard security vulnerability types presented by the device itself in addition to the application. Alexey Zhadov, our cloud and mobile expert, also shared common issues that affect mobile apps:

• Weak server-side control
• Insecure data storage
• Insufficient transport layer protection
• Unintended data leakage
• Poor authorization and authentication
• Poor cryptography
• Client-side injection
• Untrusted inputs
• Improper session handling
• Lack of binary protection
• Improper OS usage
• Insecure traffic and API calls
• Code tampering and jailbroken devices
• Inadequate logging and monitoring
• Security misconfigurations

To secure mobile applications, Alexey recommends some simple practices that companies can implement in app design and maintenance:

• Open-source code assessment: Most mobile applications use open-source third-party libraries available for everyone. This streamlines the development process but also opens backdoors for potential intruders. So, it’s mandatory to rigorously test third-party code for software security vulnerabilities before incorporating it into the app.
• Strong cryptography practices: encrypt and decrypt data during transfer. With a strong data encryption technique, application data, such as source code, user info, and login credentials, your app store will be secured. Once the data is encrypted, hackers won’t be able to interpret it even if they gain access to the original content.
• Code signing certificate: developers can sign mobile applications to protect them from cyberattacks and gain user trust. Such a signature ensures that the code has not been interpreted or altered after signing the app. The security team can find several code signing certificate options with modest price tags. This practice is both cost-effective and reliable.
• Data cache protection: cached data contains information retrieved from the app to help in faster reopening to improve the app’s performance. Data cache is generally stored without additional security measures on a user’s device. It is a safer practice to generate a password and lock the application. Moreover, Alexey recommends that you clear cached data frequently and log in using a secure network connection.
• Safe data storage: Each application contains data that intruders can misuse. It includes both users’ and app developers’ information. Therefore, it is essential to store this data safely in secured cloud storage, instead of relying on local storage units.
• Authentication and authorization techniques: It is essential to set up multi-factor authentication to prevent data theft. It includes user ID, password, PIN, OTP, etc. The authorization should always take place on the server-side to verify the roles and permissions of the authenticated users.
• Data wipe and device locking: This feature is mainly used in applications containing confidential data, such as personal, financial, health information, etc. It is a security layer where remote data is wiped after several unsuccessful login attempts from the user's side, and the application is locked automatically. It also prohibits users from choosing a sequential number for their passwords instead of capital letters, special characters, alphabets, numbers, etc.
• Reverse engineering counteraction: hackers use reverse engineering to tamper with the application’s functionality. By gaining access to the app’s source code, hackers can circumvent the authentication process, fake their location, and steal the data. Enforcing run-time security is paramount to counteract reverse engineering. It prevents intruders from modifying an app’s internal functions by changing its code structure to affect the application’s behavior.

IoT solutions

What makes IoT solutions unique from the security point of view is that every device’s capabilities are restricted by its usage requirements. There is no room to implement any fancy security features that consume extra capacity, memory, or power, which makes IoT devices vulnerable.

Our IoT expert, Yahor Paloika, highlights the following security vulnerability types in connected devices:

• Hard-coded credentials. IoT devices come with hard-coded passwords that administrators sometimes forget to change, giving hackers the possibility to easily penetrate the system using these well-known credentials.
• Unprotected networks. Some networks don’t enforce strong authentication, allowing intruders to add devices, reconfigure the setup to change data flow, intercept data, and inject their own data to imitate sensor readings.
• Weak update management. Many IoT devices work independently and don’t rely on human interference to perform updates. In this case, an update management system is responsible for making sure that automatic updates arrive through an encrypted channel, originate from a verified source, and are not corrupted. If such a system is weak, it will permit intruders to corrupt the updated software and firmware, changing the device’s behavior.
• Outdated code modules. Forgetting to eliminate outdated modules that are not used anymore gives hackers enough time to explore their software security issues and find loopholes to penetrate the system. All modules that are not a part of connected devices’ functionality must be removed.
• Data protection. All the data circulating inside the IoT network must be encrypted, and only authorized users can have access to it.

Hacking into IoT systems can have a devastating effect. For example, in an experiment, a team of researchers could penetrate IoT devices’ software in Jeep Cherokee and send malicious commands through Jeep’s entertainment system. They tampered with air conditioning, decreasing the temperature, turned the windshields on, and afterward, to the driver’s horror, they disabled the brakes. Luckily, it was just an experiment. Here are some tips that Yahor recommends to protect IoT systems:

• Use an existing security-intensive cryptographic protocol, such as Transport Layer Security (TLS), to support communication in an IoT network and compensate for the lack of built-in security
• Have a modern integrated keys and certificates management sub-system, which provides the required encryption and security level. Also, Yahor recommends updating keys and certificates once every six months at least
• Put a reliable password management system in place to generate strong passwords and changes them systematically
• Implement an update management system that will only permit secure updates from a legitimate source to get through, blocking any attempts to force corrupted changes

AI solutions

There is one aspect that substantially differentiates artificial intelligence (AI) and machine learning (ML) solutions from the rest of the systems mentioned in this article –- it’s the fact that such models are often trained to make predictions, and this training process introduces several types of security vulnerabilities. Our AI expert, Maksym Bochok, highlighted the most popular weaknesses:

• The attacker can tamper with the training dataset and force the model to learn fake rules and make wrongful predictions
• ML engineers might opt for existing pre-trained models they find online, and these models can already be malicious. For example, they might contain the Trojan virus or other malware.
• The intruder can get hold of the algorithm itself and adjust the code, the weights, and other parameters to modify the model’s behavior.

Moreover, AI is often combined with other technologies, such as IoT and the cloud, making it susceptible to the security vulnerability types introduced by those systems.

To secure AI systems, our expert recommends the following:

• When using pre-trained models and outside datasets, verify that they don’t contain any malware
• Systematically test your algorithms for the desired output to make sure no one tampered with matching rules or introduced bias, etc.
• Monitor data drifts (changes in input data)
• Detect outliers, as intruders can insert potentially dangerous data to skew the model to their desired output
• Search for any possible outliers in your training dataset
• Use general AI security assessment tools, such as Counterfit. It will help ensure that algorithms are reliable and robust.
• Benefit from existing data protection tools and safeguard confidential data when stored and used. One example is the Imperva tool which can serve as an external firewall.

On a Final Note

If you are a successful business, there is a good chance that someone has/is attempting to penetrate your system either to ask for ransom or to cause reputational damage. And as hackers are constantly looking for loopholes to exploit, your IT team is working to reduce risks. To make sure you win this race, consult an experienced security and testing company that will help you assess the state of your system and give recommendations on how to improve.

And in the meantime, to prevent different security vulnerability types from exposing your applications, pay attention to your system’s configuration, ensure that all your software is up to date, and train your employees on security practices.

Also Published here