Holding companies and firms that focus on managing other businesses' finances had the least secure Web applications on average in August, with almost three-quarters of sites containing a critical vulnerability every day for the past 12 months, new research shows.
The data, collected from tests conducted by NTT Application Security, found that 10 industry sectors continued to see more than half of their applications vulnerable on every day of the past year. The utility sector, which topped the charts last month with 66% of tested applications always vulnerable, saw its percentage increase only slightly to 67%. The share of always-vulnerable applications for the "management of companies and enterprises" sector, however, jumped to 74% from 65% in July.
These industry sectors are not alone. While manufacturing reined in its vulnerabilities — reducing its share of always-vulnerable applications to 58% from 70% at the beginning of the year — the overall number of insecure sites and services has increased, says Setu Kulkarni, vice president of strategy at NTT Application Security.
"On the whole, the remediation rate for severe vulnerabilities is on the decline while the average time to fix is on the increase," he says. "These two trends contribute to an overall increase in the window of exposure for applications in general."
Volume of Vulns Outpaces Fixes
The data underscores a critical gap between software developers and application-security teams: The cadence of new bugs continues to outpace the speed of fixing those issues.
The most common serious vulnerabilities continue to be the same five as last month: HTTP response splitting, query language injection (such as SQL injection), cross-site scripting, cross-site request forgery, and remote file inclusion. All of these classes of vulnerabilities are well known and are part of the OWASP Top 10 list of Web application weaknesses.
More than two-thirds of applications had a security misconfiguration (OWASP Top 10 issue A6), which is the typically the most common security weakness. In addition, 41% of applications exposed sensitive data, designed A3 on the OWASP Top 10 list.
"Pedestrian vulnerabilities continue to plague applications," the new report states. "The effort and skill required to discover and exploit these vulnerabilities are relatively low, thus making it easier for the adversary."
In January, the majority of applications tested by 11 industry sectors had a critical vulnerability every day in the past 12 months. In the last two months, that has fallen to 10 industries. The agriculture sector continued to top the list of slowest time to fix, taking an average of 521 days to patch a typical vulnerability, much higher than the beginning of the year, when the cadence sat at 138 days. Educational services took the second spot, with an average time to fix of 505 days, up from 438 days just last month.
While management companies have the largest number of application that are always vulnerable to a critical vulnerability, the industry sector is in the group of companies that fix flaws the fastest, patching issues in an average of 255 days.
The time to fix critical vulnerabilities dropped two days in the past month, to 200 days from 202 days in July, but up from 195 days in January. The time to fix a high-severity vulnerability, meanwhile, has climbed significantly to 256 days, up from 246 days in July and 197 in January.
Last month, the data showed that the time-to-fix and remediation rates had roughly plateaued. NTT Application Security did not include remediation data in the latest report.
Companies should take a two-speed approach to fixing vulnerabilities, the company says. First, conduct targeted campaigns to bring together developers, operations teams, and security specialists to address the top five classes of vulnerabilities in applications, especially in legacy applications. In addition, companies should focus on adopting more automated testing strategies for new software projects.
"The top five vulnerability classes by prevalence remain constant, pointing to a systematic failure to address these well-known vulnerabilities," Kulkarni says. "This also presents an opportunity to take a targeted approach to educate development and security teams about these vulnerabilities so that they can mitigate and remediate them."
A 2020 study by rival application security firm Veracode found that large legacy codebases tended to raise the average time to fix vulnerabilities by 120, leading to the recommendation that companies break up monolithic applications and work to pay down their security debt.