NEW! Acunetix 2020 Web Vulnerability Report- Insights for Web and Application Developers

, ,

Every year, Acunetix publishes an in-depth report of the most common web security vulnerabilities and network perimeter vulnerabilities. Download the Report HERE 

Their annual Web Application Vulnerability Report is based on real data taken from Acunetix Online. Analysts at Acunetix uses a random selection of websites and web applications protected using their in-house software, anonymise the web apps and websites, and perform statistical analysis.  Although this data is global, it still provides insights into key trends and industry analysis into issues affecting ANZ web developers and application developers.

This annual report is a must-read document for Web Developers, Application Developers, IT Administrators, Dev Ops, and even C-level Security Officers. Essentially, any organisation based in Australia and New Zealand that is implementing a robust and active cybersecurity strategy will benefit from  downloading this report.

Website Vulnerability Graph 2016 -2019

Acunetix Web Vulnerability Data

Acunetix’s findings from 2020 indicate there has been a 30% reduction in the number of vulnerabilities. However, while the numbers were lower, most newer applications and targets still demonstrated high counts of vulnerabilities. While the overall security of web applications and websites seem to be improving, there are still significant security flaws that need to be addressed. The report reveals that 25% of web applications and websites from 2020 have Cross-site Scripting (XSS) vulnerabilities, vulnerable JavaScript libraries, and WordPress-related issues.  The 2020 Web Vulnerability report finds that newer developers do not have the knowledge that is required to avoid vulnerabilities, additionally, developers who are working within a development structure that does not promote web security continue to pursue development strategies that are not secure.

 

Acunetix 2020 Web Vulnerability Report does a deep dive into  Remote Code Execution, SQL Injection (SQLi),  Weak Passwords, and Missing Brute-Force Protection,  Server-side Request Forgery,   Perimeter Network Vulnerabilities,  DoS-related Vulnerabilities, TLS/SSL Vulnerabilities, WordPress (and Other CMS) Vulnerabilities, Web Server Vulnerabilities and Misconfigurations and other specific vulnerabilities 

Download the Report HERE

Interested in learning more about Acunetix v13? Watch the Video 

Source: https://www.acunetix.com/acunetix-web-application-vulnerability-report/

 

 

 

Let’s patch FileZilla using System Center 2012 R2!

,

While patching Microsoft applications these days might be easy using System Center or WSUS, non-Microsoft applications usually get forgotten. With the vast majority of vulnerabilities being present in your non-Microsoft applications you can no longer simply take a guess at what to package up. How easy is it using a tool that has been specifically created for this problem? Let’s patch FileZilla 3.0.2.1 to 3.7.3

Out of date versions are a security issue

Out of date versions are a security issue

 

The process of patching using the Flexera Corporate Software Inspector is very easy, with it setup the data for the machine was already in the handy System Center plugin and asking to be updated:

SPS1

The SPS is a dynamic list, only showing you what your environment needs unlike a traditional catalogue

 

Using the wizard the process was as simple as “next, next, publish” and the package was created:

SCCMUpdates

Did you know you can also drive auto deployment rules?

 

Finally we deploy the package via System Center:

DeploySoftware

Deployment is no different to a Microsoft patch!

 

From here you use the built in configuration manager options to deploy the software (patch FileZilla), either by a deadline, or by when the end user wants it:

Ready to install

Deadlines and maintenance windows can be used like normal

 

And we are done!

FileZillaPatched

The process took only a few minutes!

 

If you would like to see more on how to patch FileZilla, including the wizard and also the huge database of products ready to be deployed, contact us for more information!

 

 

Update 1:

Below is the video of me conducting this, only 2 minutes long!

 

Are you patching effectively?

,

Patching is critical to keep your business secure, but many people think they can do it better manually. Even worse, when patching manually with no vulnerability scanning you never get an accurate picture of what needs to be secured on your network. Are you patching effectively?

Think you are doing a good job? Take one of our quick-scans and find out how you stack up, and then let us show you how you can do it better.

Australian Signals Directorate – “Security patching is key”. How compliant are you?

, ,

The Australian Signals Directorate (ASD) consider the timely deployment of application patches a core function in IT management. Security Patching is key to reducing an organisation’s vulnerability level on applications and operating systems.

In fact, the ASD currently rates application patching as one of the most effective security practices agencies can perform to mitigate targeted cyber intrusions.
Even so, we continually see organisations failing to implement a strategy to effectively manage this ongoing challenge.

QuickScan2

Did you know?
The majority of successful cyber-attacks use publicly known vulnerabilities for which a patch is available. This means that a good portion of these attacks could have been avoided if companies and organisations had used vulnerability intelligence to mitigate the risks.

Want to find out how vulnerable your organisation is?
Get a Quick Scan – we can tell you in just a few minutes how secure you actually are.
If you’d like to learn a bit more first, contact us for more information.

QuickScan5

Quickscan results showing the 3rd party application risk in your environment.

How can we help?
The Corporate Software Inspector from Secunia (now part of Flexera Software) is the intelligent 
solution to manage your security patching, enabling you to assess, prioritise and execute software vulnerability remediation to reduce risk. CSI tells you the when, where, what and how of security patching and alerts you you when a software vulnerability with an available patch is threatening your infrastructure, where it will have the most critical impact, what the right remediation strategy is and how to deploy it.

The Corporate Software Inspector lets your team know what to patch for maximum impact and consistent risk reduction. You get complete visibility of your systems, stay current and reduce the cost of your patch process significantly.

Drive-by downloads, being exploited without knowing

,

Imagine this, your employee is browsing the internet for recipe ideas for that night’s dinner, after a few different places they stumble upon the website of a well known chef with exactly what they want.

Just a few moments later you get a call, their machine is showing a well known ransomware landing page and the malware is currently making its way through your network drives encrypting your data. How did this happen? They never clicked any malicious looking emails, and they never browsed to any websites that weren’t reputable, and yet they have been hit with ransomware.

Fiesta EK attack paths

Fiesta EK attack paths

What has happened is a drive-by download, malicious exploit kits being quietly downloaded in the background and exploiting known vulnerabilities for software that has not been patched. Just simply by going to the website the script was actioned, the exploit kit downloaded and then the malware payload dropped onto the machine.

While this may sound like something that would only happen to people browsing ‘dodgy’ websites, keep in mind that just this year jamieoliver.com has been exploited three times with this exact method; February, March and May. As part of the exploit the ‘Fiesta EK’ was downloaded, which has been known to prey on vulnerabilities in unpatched versions of Flash, Silverlight, IE, Reader and Java. It has also been known to drop TeslaCrypt, a well known piece of ransomware that has been spawned off the previous ‘successes’ of the well known Cryptolocker.

FiestaEK

Script calling the Fiesta Exploit Kit to be downloaded

So how do you protect against these seemingly undetectable threats? Fancy IPS or IDS systems, antivirus or malware analysis systems?

No, the solution is much more simple than that; patch your software.

It really is that simple, by patching the vulnerabilities that these exploit kits use to drop the malware you close the loop and stop the exploit from being successful. In the case of the Fiesta EK patching your Microsoft vulnerabilities simply will not do anything to stop the kit, you MUST patch your third party as well.

emt distributes to APAC software from Secunia that specifically helps you do this, see more at https://www.emtdist.com/secunia/