Most organizations appear to be making little headway in addressing application security issues despite all of the heightened concerns around the topic, a new study shows.
The study, by researchers at NTT Application Security, is based on data from some 15 million scans, mostly of Internet-facing Web applications at customer locations through 2021. Last year organizations took more than six months (193.1 days), on average, to fix a critical security vulnerability, or almost the same length of time they took in 2020 (194.8). For the same period, organizations, on average, also fixed fewer vulnerabilities as a percentage of the overall total.
NTT's data shows that remediation rates for critical vulnerabilities, on average, declined to 47% in 2021 from 54% in 2020. In other words, organizations left more than half (53%) of known critical flaws nonremediated last year. NTT's study shows even more abysmal rates for less severe flaws — organizations, on average, fixed only 36% of high-severity flaws and 33% of medium severity bugs in their environments in 2021.
Somewhat unsurprisingly, half of all the sites in NTT's study had at least one serious exploitable vulnerability throughout 2021. In some industries, a higher percentage of sites had this sort of an exposure. Fifty-nine percent of sites in the retail industry — one of the most targeted sectors — had at least one serious vulnerability throughout 2021. In the utilities sector, 63% of sites were perpetually exposed to attacks last year because of at least one exploitable vulnerability; in the professional, scientific, and technical service sector, the number was even higher, at 65%.
"Simply put, most of these metrics are headed in the wrong direction," says Zach Jones, senior director of detection research at NTT Application Security. Application vulnerability remediation rates and the time that organizations took, on average, last year to fix flaws remained way off the desired goals that security teams often try to meet, he says.
"For example, most teams aim to remediate critical vulnerabilities found in their applications within 30 days," Jones says. "However, when looking at our data, we see that it’s taking an average of 193 days to remediate a critical vulnerability."
There could be multiple reasons why organizations are having a hard time improving critical metrics around application security, such as time to fix, remediation rates, and the overall window of exposure. But one common theme is software development teams' continuing focus to prioritize new application features and functionality over security, Jones says.
Several security experts have noted how the accelerated adoption of digital-first initiatives at many organizations after the COVID-19 pandemic has only exacerbated the trend over the past two years.
"AppSec teams are outnumbered 100-to-1," says Mark Lambert, vice president of products at ArmorCode. Development and security teams also continue to be siloed and disconnected, he says.
"This results in releases going out the door fast and furious with known vulnerabilities," Lambert says. "When new vulnerabilities are identified, teams have to scramble to respond."
Kevin Dunne, president at Pathlock, identifies another issue: the continued growth in vulnerability discoveries in application code.
"The number of vulnerabilities continues to grow, as hackers become more active and more critical systems and sites move to the public Web," he says, adding that many companies are struggling to keep up with a backlog of vulnerabilities that need to be resolved.
NTT's data also suggests that public and media attention may have influenced vulnerability remediation decisions at least to some extent last year. Organizations, for instance, took 193.1 days, on average, to fix critical flaws in 2021, which — though not much better than the 194.8 days it took in 2020 — was still 1.7 days faster. At the same time, time-to-fix rates for other less severe flaws trended the other way last year.
Organizations, on average, took longer to fix high-, medium-, and low-severity flaws in 2021 than they did in 2020.
Those are the kinds of results that manifest when app security teams focus more on one class of flaws than the others, Jones says. "The data suggests that a decrease in time to fix a critical vulnerability often correlates to an increase in how long it takes to remediate less severe — albeit still serious — vulnerabilities," he says.
The most common vulnerability class in Web application environments last included data leakage, insufficient transport layer protection, cross-site scripting, cross-site forgery, content spoofing, and insufficient authorization.