News

Java Apps More Vulnerable than .NET Apps, Report Finds

• By David Ramel
• January 27, 2021

Java applications currently represent a greater security threat than .NET applications, according to a new report from Contrast Labs. The top Common Vulnerabilities and Exposures (CVEs) for software written in Java are earning  significantly higher Common Vulnerability Scoring System (CVSS) scores than the CVSS scores for the top .NET CVEs, the report notes, suggesting higher risk for Java apps.

The CVSS provides an open and standardized rating of application vulnerabilities, assigning them unique CVE numbers. A score of between 7.0 and 8.9 is considered high.

Contrast Labs publishes vulnerability and attack metrics on a bimonthly basis in order to provide actionable data for organizations. In its just published "2020 Application Security Observability Report," its researchers analyzed application security (AppSec) trends for the 12 months ending on May 31, 2020.

"Notably, twice as many Java applications have at least one serious vulnerability than .NET ones," the report reads. "Specifically, over twice as many Java applications have at least one serious vulnerability compared to .NET and .NET Core -- 42 percent versus 16 percent and 20 percent, respectively. And 18 percent of Java applications have at least six serious vulnerabilities, while only 7 percent of .NET ones have that many. Particular problem areas for Java applications include broken access control (26 percent) and XSS (22 percent). This can be traced to a lack of standardization in Java, which is an open-source language -- compared with .NET, which is highly standardized and controlled by Microsoft."

In the September–October 2020 time frame, .NET apps had more serious vulnerabilities, the researchers noted. Specifically, serious cross-site scripting and broken access control vulnerabilities were found in 2% more applications during that period compared with July–August, which represents a 23% and 31% increase, respectively.

"Cross-site Scripting vulnerabilities provide an opportunity for bad actors to masquerade as a 'victim user' in order to carry out any actions that the user is able to perform and access any of the user's data," the report reads. "Broken Access Control vulnerabilities allow attackers to bypass authorization safeguards and perform tasks as if they were privileged users. Both Cross-site Scripting and Broken Access Control vulnerabilities, if exploited, can enable bad actors to access and control an application's functionality and data."

Cross-site scripting vulnerabilities were identified in 12% of .NET apps and serious broken access control vulnerabilities were identified in 7%, the report notes.

As far as the increased rate of attacks, the biggest change came from more Command Injection attacks, with 98% of applications targeted in September–October, up from 57%in July–August. On the positive side, Cross-site scripting saw a smaller increase in attacks, while broken access control vulnerabilities accounted for fewer attacks.

Other key findings in the report :

• Vulnerabilities: Nearly all applications have at least one vulnerability, and more than one-quarter have a serious one. 11 percent of applications have more than six serious vulnerabilities. Well over half of applications have insecure configuration and sensitive data exposure vulnerabilities.
• Attacks: On average, each application endured more than 13,000 attacks per month in the past year, with injection, cross-site scripting, and broken access control topping the attack-vector list. Fortunately, 98 percent of attacks do not hit an existing vulnerability. The high volume of attempts to infiltrate applications accentuates the need to effectively prioritize remediations and take steps to block attacks on applications in production. Organizations can protect themselves by taking a strategic, risk management-based approach to application security. This means prioritizing vulnerabilities according to the risk they pose, which requires organizations to have actionable data not only at an industry level but also for the specific organization.