The majority of web applications in 11 industries are…
According to a report published by WhiteHat Security on June 22, two-thirds of applications deployed by the utility industry and 63% of those deployed by public administration organizations have a severe vulnerability that compromises security every day of the year.
Overall, 11 industries have seen a serious vulnerability in at least half of their applications every day for the past year. The top three sectors on the list — utilities, public administration and professional services — take at least 288 days on average to fix vulnerabilities, according to the company’s monthly AppSec Stats Flash report for June.
The slow patch cadence is because in many cases there’s a long tail of legacy apps that no active development team is working on, says Setu Kulkarni, vice president of strategy at WhiteHat Security.
“Once you find the vulnerability, fixing it is not a trivial process because you need to find the right development team, and in many cases that development team is long gone,” he says. “Some of the apps we use every day are the ones that have been in production the longest.”
Overall, the time to fix critical vulnerabilities averaged 205 days for issues resolved in the last three months, compared to 194 days in WhiteHat’s January report and significantly longer than the 148 days for the set of 2020, according to the report.
The trend is fueled, at least in part, by increased testing for new apps and legacy apps that haven’t been tested before, according to WhiteHat. The number of applications tested increased by approximately 10% across major industry sectors, with two vulnerabilities found on average per site. Companies have expanded testing because recent ransomware attacks have raised business continuity concerns and because the pandemic is forcing the average business to deploy more cloud applications to support remote workers.
“These high average resolution time results contribute to the large window of exposures,” the report states, adding that “[f]Focusing on reducing the average time to fix critical and high-severity vulnerabilities is key to improving the window of exposure and, therefore, the overall security posture of applications. »
The trend is most evident in the rise of the utilities sector to the top of the list – the sector was ranked eighth in January. This increase does not necessarily indicate that the sector is more vulnerable, but that companies in the sector are testing more applications, no doubt a trend that will improve overall security.
A number of attacks on utilities — most recently, the Colonial Pipeline attack — have caused companies in this sector to test their software more, Kulkarni says.
“If you trace a timeline of the increase, it basically started when Colonial got hacked, a lot of utilities started increasing the number of apps tested, and we started finding more vulnerabilities,” he says. “These are applications that have potentially only been tested once before being deployed.”
Finance and insurance companies – an industry sector frequently targeted in the past – performed much better, but not the brightest. Ranking 13th on the list of industries with long exposure windows, 43% of apps in the industry were still vulnerable, compared to 29% of apps that were only vulnerable for 30 days or less.
“These organizations, when they find a critical vulnerability, are able to patch or mitigate it within 30 days at a much better rate compared to all other industries,” Kulkarni says. “They are at the forefront of adopting technology processes – such as agile and DevOps – and they have more mature application security programs.”
The report doesn’t focus on whether original code produced by in-house developers or open-source components embedded in applications are to blame for the vulnerabilities, but a Veracode report found that 79% of developers don’t put not updating open source libraries after including them in a project. Updating software regularly is important because nearly all (92%) vulnerabilities in open source libraries can be patched with an update, the company found.
Another problem is that developers keep making the same mistakes. The top five classes of vulnerabilities have not changed over time, with the most common vulnerabilities being information leaks, insufficient session timeout, insufficient transport layer protection, cross-site scripting, and spoofing, according to the report published by WhiteHat Security. The same vulnerability classes also topped the list in January.
Veteran technology journalist of more than 20 years. Former research engineer. Written for over two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science and Wired News. Five awards for journalism, including Best Deadline… View Full Bio