Sign in Subscribe

Happy AppSec New Year - 2024 Recap

Happy AppSec New Year - 2024 Recap

What a year 2024 was for Application Security! New technologies, new incidents, new attack patterns, and so much more!

The landscape of Application Security has undergone significant shifts over the past year. Artificial Intelligence continues to become a larger part of the cybersecurity scene, both on offense and defense. While some vulnerabilities were novel, in other cases, old became new again, as supply chain hijacking, injection attacks, and authorization failures were featured amongst many of this year’s most prominent vulnerabilities.

Let’s look through 2024 for some notable Trends in Application Security and look ahead into 2025 to see some anticipated challenges. We’ll look at interesting development trends, incidents, CVEs, and other reported vulnerabilities, and some interesting new tools introduced in 2024!

2024 continued to be the Year of AI, with several trends across software development practices, each with significant security implications:

Python and Jupyter Notebook usage is up across open source code at GitHub, indicating an overall trend toward data engineering and AI usage. However, this trend comes with its dangers; naively integrating with many AI frameworks can lead to such issues as data privacy, supply chain security, and infrastructure security.

AI Code Generators are also up in usage, with reports that up to 25% of new code at companies like Google is now generated by AI. There are risks from this adoption, such as the possible introduction of vulnerable code and insecure architectures being adopted due to an increased speed of development, underscoring the need for proper application security practices to be maintained. 

AI Agents, such as Copilot, Gemini, and the OpenAI Desktop app, are also seeing broader adoption with multimodal functionality. These integrations can contain components that can live on a user’s machine, blurring the line between explicitly and implicitly shared data. As these agents gather more data from users, data privacy becomes of paramount importance.

Notable Incidents

There were quite a few notable cybersecurity incidents in 2024, including some major data breaches, several ransomware attacks, and some APT incidents. Let’s discuss two of note: the xz-utils compromise and the Crowdstrike incident.

Last year began with a reminder of the danger of supply chain vulnerabilities when the widely used xz-utils utility was compromised through a sophisticated maintainer hijacking attack. A malicious user social-engineered their way into gaining maintainer access to the xz-utils GitHub repository over the course of two years, then published backdoored releases with Remote Code Execution potential. This backdoor was luckily discovered by a random engineer doing a performance investigation of the utility. The patience involved in the attack and the level of sophistication involved in developing the backdoor potentially implicates some nation-state actors, displaying the fragility of trust in the supply chain and the potential damage that can be done from otherwise benign dependencies.

Another incident of note was the Crowdstrike IT outage. Crowdstrike’s endpoint detection agent, known as Falcon Sensor, is a driver operating at the OS level that is widely used on many enterprise computer systems. When a faulty update with an out-of-bounds memory read error was published, enterprise computers from data centers to airports across the planet immediately started failing. This failover event, which turned out to be one of the largest outages in the history of IT, exposed the consequences of skipping comprehensive security testing and a lack of disaster recovery planning in many industries.

The main thing to note from both these incidents is that supply chains are still extremely vulnerable to vulnerabilities. Low-level code is also still a problem; even if you are running a memory-safe stack, a dependency or even some driver on your underlying infrastructure could introduce memory corruption issues. Fuzzing, code auditing and pinning, disaster recovery, and proper deployment strategies continue to remain important.

CVEs and CWEs in 2024

The Top 25 CWEs had some interesting movements this year. Code Injection moved up 12 spots to the Number 11 position, with the two CVEs from 2024 both relating to LLM-generated code being run in a shell. Uncontrolled Resource Consumption and Sensitive Information Disclosure are new entrants to the Top 25. Both of these can be partially attributed to the rise in AI integrations; rate limiting is a core concern when integrating with an API due to the large resource cost, and Sensitive Information Disclosure can be tied directly to the issue of data privacy with LLMs.

Interestingly enough, most of the top CWE issues this year are perennial issues in the industry: Cross-site scripting, SQL Injection, and Authorization bypasses. This goes to show that some of the oldest issues in our industry have still not been robustly fixed.

There was a huge increase in CVEs in 2024, up 38% since 2023. Some part of this increase can be attributed to the increase in attack surface area due to new AI applications. For example, a large number of these CVEs were directly tied to an AI’s output being used in improper ways. These include Path Traversal vulnerabilities, Code Injection vulnerabilities, and Command Injection vulnerabilities. There were also a number of vulnerabilities within LLM frameworks themselves. Despite this, the average CVSS score per CVE decreased between 2023 and 2024, indicating that another reason for the increase in CVEs is that more vulnerabilities, even of less impact, are being disclosed, rather than just those with wide industry impact.

Tooling

2024 also saw the introduction of scores of new Application Security toolings. Keeping with the theme of the year, many were AI powered.

One of the most exciting new tools is XBOW. An AI tool designed to automate vulnerability discovery, XBOW’s goal is to autonomously identify and exploit vulnerabilities with little to no custom human interaction. XBOW has currently proved its utility with a couple of reported vulnerabilities on HackerOne and some respectable performance on several web security benchmarks. With time, XBOW could see further potential as a completely automated pen-testing tool. 

Another such tool is DryRun Security. On the defensive side, DryRun tries to leverage Natural Language rule writing to uncover risk in Pull Requests to a repository. By using Natural Language, DryRun aims to be able to find issues in a more flexible manner as opposed to a strict DSL like Semgrep or CodeQL, allowing risks to surface instead of just vulnerabilities.

While not a new tool, the Zed Attack Proxy (ZAP) was acquired by Checkmarx in 2024.

Other interesting AppSec tooling in 2024 included some GitHub Actions auditing tools, such as Gato-X and zizmor.

We have a couple of predictions for 2025 trends in Application Security:

AI Overreliance Vulnerabilities

As AI continues to be integrated in more applications, we will see naive integrations leading to vulnerabilities in both Excessive Agency and Improper Output Handling.

This will include an uptick in Injection vulnerabilities, through traditional ones likeSQL Injection, XSS, Command Injection, and Code Injection but also Prompt Injection vulnerabilities. Naive implementations of AI will inevitably interpolate LLM outputs in unsafe ways into queries, user interfaces, and other surfaces, leading to all of the above vulnerabilities. This will continue the trend set in 2024.

To stay ahead of this trend, the industry will have to work to design responsible AI systems. Check out our blog post on Preventing Overreliance for more information on mitigations.

Open Source Supply Chain Vulnerabilities

We will continue to see an increase in the number of open source supply chain attacks. Supply chain attacks have proven to be the favorite of several nation-state actors, such as NotPetya, SolarWinds and (potentially) the recent xz-utils exploit. As conflicts in the global landscape continue to increase in frequency and severity, we will see civilian fallout from nation-state actors attacking one another, such as through supply chain exploits.

The software supply chain is one of the hardest parts of the software lifecycle to secure. With that being said, OWASP has a Cheat Sheet on basic things you can do to secure your supply chain.

Cloud Security and API Security

Cloud security and API security will continue to grow in importance this year. AI integrations necessitate a move to the cloud for most companies, reversing a microtrend over the past couple of years of companies moving back to on-premise appliances. As such, companies will need to put an added effort in this year to secure their API and cloud attack surface.

Cloud and API Security is a discipline entirely unto itself, but there’s a few resources that can help with starting this. Reach out to us today for help securing your infrastructure, and check out our blog posts on Cloud Security.