Web applications are still the most reliably exploitable attack surface we see across Australian organisations. Over the past year, our testing identified 324 unique findings across 1,809
individual instances. Close to a third of those were Medium severity issues in web apps and APIs.
That's not a blip. That's a pattern.

Shaun Burger
Director, Cyber Assurance
Vectra Corporation

This month we're looking at what keeps showing up in application security testing. Broken access controls, cross-site scripting, CSRF, and injection flaws. None of these are new. All of
them still work.

The Axios npm supply chain compromise in late March was a sharp reminder that your application is only as strong as its weakest dependency. A North Korean threat actor
backdoored a library with 70 million weekly downloads through a single social engineering play. Every organisation should be asking hard questions about their third-party code. 

The ASD and CISA have both called out internet-facing applications as a primary initial access vector for cybercriminals and state-sponsored actors. Our testing data backs that up. If your web apps haven't had an independent security assessment recently, the findings in this issue should give you a reason to book one in.