14 DAY TRIAL // Insecure, legacy, and abandoned web apps are among the critical security issues that lead to data breaches of FT 500 US and EU companies as found out by High-Tech Bridge, a provider of Application Security Testing (AST) services.
High-Tech Bridge's study analyzed the 1,000 largest global companies from the US and the EU to collect data for their research, via a "large-scale discovery and non-intrusive assessment of their external web and mobile applications, SSL certificates, web software and unprotected cloud storage."
The research is based on information collected from systems accessible via HTTP/S protocols and not from network components that could be discovered with the help of IoT search engines such as Shodan.
As uncovered by High-Tech Bridge, the 500 most important US companies have 293,512 systems accessible via an Internet connection, out of which 42,549 Internet-facing systems have been found to run active web applications with dynamic functionality and content.
On the other hand, FT 500 EU companies have live web apps on 22,162 Internet-facing machines out of a total of 112,750 accessible from the Internet.
This translates into every US company having roughly 85,1 web applications running on an Internet-facing server and 44,3 of them for EU companies, most of them using no extra security controls for limiting access from potential attackers, as well as no two-factor authentication solutions.
Internet-facing web apps are an important vector attack used to compromise FT 500 companies' servers and steal data
Furthermore, "The US companies from this research have just 2,94% of web servers with an “A” grade for properly implemented security hardening and configuration, mostly for security and privacy related HTTP headers. Vast majority - 76,9% - have a failing “F” grade," according to High-Tech Bridge's study.
EU companies' web servers have almost identical security ratings, with 77,4% of them getting an "F" grade, while only 2,98% of them received an "A."
The scoring methodology is available on WebScan's About page, with comprehensive details regarding all scoring points used to reach the final rating.
Also, as listed in the report's key findings section, 19,5% of the companies that took part in the study have external unprotected cloud storage, while "92% of external web applications have exploitable security flaws or weaknesses."
Moreover, High-Tech Bridge also discovered that all studied FT 500 companies have at least one GDPR non-compliance issue, and only 2% of Internet-facing web apps are adequately protected with a properly configured Web Application Firewall (WAF).
"The research has clearly demonstrated that abandoned and unmaintained applications are a plague of today," said Ilia Kolochenko, High-Tech Bridge’s CEO and Founder. "Large organizations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them."
Further details on High-Tech Bridge's findings regarding IoT, content security policies, SSL/TLS encryption, and more, can be found on the "Abandoned Web Applications: Achilles' Heel of FT 500 Companies" study's web page.