Holding companies and companies that focus on managing the finances of other companies had the least secure web applications on average in August, with nearly three-quarters of sites containing a critical vulnerability every day for the past 12 months, according to a new study.
The data, gathered from tests conducted by NTT Application Security, revealed that 10 industry sectors continued to see more than half of their applications vulnerable every day for the past year. The utilities sector, which topped the charts last month with 66% of apps tested still vulnerable, saw its percentage increase only slightly to 67%. The share of applications still vulnerable for the “business and enterprise management” sector, however, jumped to 74% from 65% in July.
These industrial sectors are not alone. As manufacturing limited its vulnerabilities – reducing its share of still vulnerable applications to 58% from 70% at the start of the year – the total number of unsecured sites and services has increased, said Setu Kulkarni, vice-president. president of strategy at NTT Application. Security.
“Overall, the rate of remediation of critical vulnerabilities is declining while the average time to repair is increasing,” he says. “Both of these trends are contributing to an overall increase in the window of exposure for general applications.”
Vulnerability volume exceeds patches
The underlined data A critical gap between software developers and application security teams: The rate of new bugs continues to exceed the rate of resolution of these problems.
The most common critical vulnerabilities remain the same five as last month: HTTP response splitting, query language injection (such as SQL injection), cross-site scripting, cross-site request tampering, and remote file inclusion. All of these classes of vulnerabilities are well known and are included in the OWASP Top 10 List of Web Application Weaknesses.
More than two-thirds of the applications had a bad security configuration (OWASP Top 10 number A6), which is typically the most common security weakness. Additionally, 41% of apps exposed sensitive data, designed A3 on the OWASP Top 10 list.
“Pedestrian vulnerabilities continue to disrupt applications,” the new report says. “The effort and skill required to discover and exploit these vulnerabilities is relatively low, making it easier for the adversary.”
In January, the majority of applications tested by 11 industry sectors were critically vulnerable every day for the past 12 months. In the past two months, that figure has fallen to 10 industries. The agricultural sector remained at the top of the list of the slowest repair times, taking an average of 521 days to correct a typical vulnerability, much more than at the start of the year when the pace was 138 days. Education services took second place, with an average repair time of 505 days, up from 438 days last month.
While management companies have the largest number of applications that are still vulnerable to critical vulnerability, the industrial sector is among the group of companies that fix faults the fastest, fixing issues in 255 days by mean.
The time required to patch critical vulnerabilities fell by two days last month, from 202 days in July to 200 days, but up from 195 days in January. The time it takes to fix a high severity vulnerability, meanwhile, increased significantly to 256 days, from 246 days in July and 197 in January.
Last month, data showed repair time and remediation rates had roughly plateaued. NTT Application Security did not include remediation data in the last report.
Businesses should take a two-tier approach to patching vulnerabilities, the company says. First, conduct targeted campaigns to bring together developers, operations teams and security specialists to address the top five classes of vulnerabilities in applications, especially in legacy applications. Additionally, companies should focus on adopting more automated testing strategies for new software projects.
“The top five vulnerability classes by prevalence remain constant, indicating a systematic failure to address these well-known vulnerabilities,” Kulkarni said. “It also presents an opportunity to take a focused approach to educate development and security teams about these vulnerabilities so they can mitigate and fix them. “
A 2020 study by rival application security company Veracode found that large legacy codebases tended to increase the average vulnerability resolution time by 120, which led companies to dismantle monolithic applications and strive to repay their security debt.