Security Brief Asia is reporting on new research showing more than 40 billion records were exposed by data breaches in 2021. According to the research from Tenable's Security Response Teams, they found a considerable increase in breach incidents, with 1,825 breach data incidents publicly disclosed between November 2020 and October 2021, compared with the same period in 2020, which saw 730 publicly disclosed events with just over 22 billion records exposed. 

Back in September of 2021 we wrote that the OWASP working group had a draft of latest Top 10 Web Application Security Risks, their first update since the 2017 revision.  The working group finalized their list and published a final version a month later in October of 2021.  With the list out for a few months now, let's take a quick look at what's changed with the new OWASP Top 10.

Nearly every organization can be infiltrated by cyber attackers, based on data from dozens of penetration tests and security assessments. The vast majority of businesses can be compromised within a month by a motivated attacker using common techniques, such as compromising credential, exploiting known vulnerabilities in software and Web applications, or taking advantage of configuration flaws.

As we approach the end of 2021, we’d like to present our predictions for 2022 for the application security community.  It would be easy to just predict that cyber attacks will continue to increase, that we’ll find more vulnerabilities in production code (after four record years and probably a fifth), and that ransomware will exact a record-setting payment from an organization in the coming year.  Instead, we’ll focus on three predictions that are probably a little less likely, but ones we may still actually see come to pass in the coming year.

A new report written by Osterman Research notes that most websites use third-party libraries to simplify common functions, but these same libraries often have application security risks.  Organizations also typically lack visibility into third party code, making it difficult to determine if websites and web applications have been compromised.