Over the last 10 years, more than half of all the security bugs that were weaponized were for two application frameworks – Apache Struts and WordPress.
A recent study focused on analyzing all the vulnerabilities disclosed over the past decade resulted in quite an interesting discovery. [RiskSense] According to analysts, around 55% of all security vulnerabilities that have been discovered, weaponized, and exploited during this period were for only two major application frameworks – Apache Struts and WordPress.
A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks: WordPress and Apache Struts. https://t.co/IDJTATWx1z
— Adam Levin (@Adam_K_Levin) March 17, 2020
The company conducting the study is risk analysis firm RiskSense. Its report also found that the Drupal content management system ranked as third on the list, with Ruby on Rails and Laravel following closely.
Other concerning findings
When it comes to programming languages, the most vulnerabilities that were weaponized during the same period were found in PHP and Java apps.
However, while the weaponization itself still remains low, the number of vulnerabilities is quite high, which makes them both potentially dangerous. And it is only a matter of time before hackers start focusing more on them.
On the other hand, Perl and Ruby programming languages started seeing fewer and fewer weaponized vulnerabilities over the decade, as their popularity faded.
Researchers also paid attention to the vulnerability types, noting that cross-site scripting (XSS) bugs were the most common in the early 2010s but were not the most weaponized ones. The ones that were the most weaponized include injection-based flaws, which could allow hackers to inject their own commands into the systems.