Protect against Log4J without patching
Learn More
Protect against Log4J without patching
Learn More

UncategorizedWeb Application Firewall | OWASP Top 10 | K2 Cyber Security


August 17, 2020 Timothy Chiu, VP of Marketing
SQL Injection, XSS, and RCE Top List of Vulnerabilities in Internet-facing Applications
A new report on the top vulnerabilities in internet facing applications in 2020 was released recently by Edgescan, and found that 42% of the vulnerabilities found in these apps are SQL Injection vulnerabilities.  The other common vulnerabilities include cross-site scripting (XSS) errors (19%), PHP vulnerabilities (16%), remote code execution (RCE) (7%), and sensitive file disclosure flaws (5%). As the report says,
SQL Injection was first discovered in 1998 and still lives happily on the Internet with its cousins XSS and RCE.”
Like SQL Injection, XSS and RCE have been standard features on the OWASP Top 10 list of web application risks which has been around since 2003 and updated every 2 years since.  These common vulnerabilities are still the bane of application developers, testers, and IT security personnel over a decade later since the publication of the first OWASP Top 10 list.

A great start for protection against SQL Injection, XSS and RCE attacks is using runtime application security.  The latest draft version of the NIST Framework for SP 800-53 now includes RASP (Runtime Application Self Protection), as a requirement for an organization’s security framework.  By having security that’s close to the application, you get greater visibility and understanding of when an attack is happening, and better tools to control the attack.  Traditional security tools like Web Application Firewalls (WAFs), sit on the network perimeter, and can miss nuanced and sophisticated attacks.

K2’s runtime deterministic application security platform monitors the application and has a deep understanding of the application’s control flows, DNA and execution.  By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack.  Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including Injection attacks.

In addition to providing runtime application security,  K2 can also help with faster vulnerability remediation in your web application code during your penetration testing cycle. The K2 agent is deployed on the pen testing/QA server and no change in testing methodology or setup is required. K2 works in conjunction with your existing scanning tools or pen testing tools. K2 creates a vulnerability report at the end of the testing cycle detailing additional telemetry on the vulnerability including which file and line number in the code has the vulnerability.  K2 can also find additional vulnerabilities in the application that the testing tools may have missed.

K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution.  K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application.  To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.

Change how you develop and protect your applications.

Find out more about K2 today by requesting a demo, or get your free trial.



Share this

Leave a Reply

Your email address will not be published. Required fields are marked *


K2 Cyber Security delivers the Next Generation Application Security Platform to secure web applications and container workloads against sophisticated attacks in OWASP Top 10 and provides exploitable vulnerability detection during pre-production. K2’s Platform is deployed on production servers for runtime protection of applications and on pen-testing/pre-production/QA servers for interactive application security testing to identify the location of the vulnerable code. K2’s solution generates almost no false positives, eliminates breaches due to zero-day attacks, detects attacks missed by traditional security tools like Web Application Firewalls and host based EDR, finds missed exploitable vulnerabilities and dramatically reduces security cost. K2 Cyber Security is headquartered in the USA and provides cyber security solutions globally.


K2 Cyber Security, Inc.

2580 N. First Street, #130

San Jose, CA 95131