- There was a 92% increase in reported vulnerabilities from 2018 to 2019, according to Bugcrowd's 2019 State of Security report.
- Broken access control, sensitive data exposure, server security misconfiguration, broken authentication/session management, and cross-site scripting were the top five vulnerabilities in the past year.
- Average payouts for finding critical vulnerabilities increased by 27% to $2,670 in bug bounty programs. There was a 29% increase in bug bounty program launches this year compared to 2018 because companies are "taking their programs public as a part of their corporate social responsibility on the internet," according to Bugcrowd's report.
As more applications are introduced to a company's technology stack, there is a corresponding increase in risk.
Having additional security oversight, in the form of hackers, researchers and pentesters, protects individual companies' assets and public well-being. This is especially important when some of the most devastating bugs — EternalBlue, Meltdown, Spectre, and the Apache Struts2 — are still causing problems.
Because big breaches often spawn from "nascent" vulnerabilities, intentionally looking for the more subtle and "easy" flaws sets the foundation for basic cybersecurity practices, according to Bugcrowd.
Web application flaws are the most reported, including issues with:
Broken access control
Server security misconfiguration
Cross-site scripting is a popular attack method executed by injecting malicious scripts on trusted websites.
Capital One is the latest company to feel the impact of a misconfigured web application, which failed to protect credentials. The bank is in the midst of cleaning up a data breach impacting 106 million customers.
Equifax's 2017 data breach was the result of a web application flaw in Apache Struts. The vulnerability allowed attackers to inject malicious code into every server running Apache Struts applications. However, a patch for the flaw was available two months prior to its exploit, leading Equifax to pay a record fine for negligence.