Researchers discovered that 50% of all sites evaluated were vulnerable to at least one severe exploitable vulnerability for the entire year of 2021, while just 27% were exposed for less than 30 days.
NTT Application Security focuses on improvements in Window-of-Exposure and Time-to-Fix statistics across industrial verticals, including healthcare, manufacturing, utilities, and retail, in its “AppSec Stats Flash: 2021 Year in Review.”
Here are some highlights from each vertical market:
- Utilities: During 2021, 63 percent of utilities websites were exposed to at least one exploitable vulnerability, up 8% from the previous year.
- Education: Across all industries, education had the longest Time-to-Fix a significant vulnerability — 523.5 days — over 335 days longer than public administration (188.6 days), which had the smallest period throughout 2021.
- Finance and insurance had the lowest percentage of sites that were permanently exposed, at 43 percent.
According to Ray Kelly, a fellow at NTT Application Security, some of these figures are so high because organizations are struggling with an increase in web assets, a reduction in security headcount/expertise, and rapid application deployments through CI/CD to bring new features and functionalities to market as quickly as possible.
Kelly explained, “It's a never-ending game of catch-up.” “Malicious actors will take advantage sooner or later if organizations do not focus on addressing significant vulnerabilities.” The report's most important result concerns Window-of-Exposure; the notion that 50% of web apps will be vulnerable to assault in 2021 is highly concerning.”
“AppSec teams are 100:1 outmanned,” Lambert stated. “Silos and disconnects exist between development and security teams, resulting in irritation and finger-pointing. As a result, updates are rushed out the door with known vulnerabilities, and teams must scurry to respond when new vulnerabilities are discovered.”
While the statistic that half of firms remain susceptible throughout the year may appear scary at first, Michael Isbitski, technical evangelist at Salt Security, emphasized that the percentage reflects the realities of ongoing security testing and the necessity to deliver apps to production. When firms use application security testing (AST) technologies, according to Isbitski, they frequently find comparable groupings of vulnerabilities that they may not consider risky.
“It's not uncommon for corporations to ignore or hide security risks, particularly information disclosure issues,” said Isbitski. “The mere presence of specific HTTP headers or server banners is routinely reported as information leak by scanning tools. An attacker can utilize this metadata to learn about back-end systems and versions, which can help them find more flaws. Information disclosure issues aren't always caused by application code; they're more commonly caused by infrastructure setup. Other concerns, such as injection defects and abusable business logic, are frequently overlooked.”
Security flaws will always exist in software, according to Approov CEO David Stewart, and while it's important to devote time and money to correcting them, the industry will never release vulnerability-free software.
“In conjunction with their vulnerability-fixing activities, enterprises should protect their apps and the APIs that serve them from bad actor scripts looking to exploit vulnerabilities,” Stewart said. “Effective shielding prevents rogue programs from accessing the intended backend services.” It's important to remember that the presence of vulnerabilities isn't the main issue; the capacity to exploit them is. So, first block the exploitation path, then address the vulnerabilities at your (relative) leisure.”
