Two-thirds of the applications deployed by the utility sector and 63% of those deployed by public administration organizations have a serious vulnerability undermining security every day of the year, according to a report published by WhiteHat Security on June 22.
Overall, 11 industries saw a serious vulnerability in at least half of their applications every day for the last year. The top three industries on the list — utilities, public administration, and professional services — take at least 288 days on average to fix vulnerabilities, according to the company's monthly AppSec Stats Flash report for June.
The slow patching cadence happens because, in many cases, there is a long tail of legacy applications that do not have an active development team working on them, says Setu Kulkarni, vice president of strategy at WhiteHat Security.
"Once you find the vulnerability, fixing that vulnerability is not a trivial process because you have to find the right development team, and in many cases, that development team is long gone," he says. "Some of the applications that we use every day are the ones that have been in production for the longest time."
Overall, the time required to fix critical vulnerabilities averaged 205 days for issues fixed in the past three months, up from 194 days in WhiteHat's January report and significantly higher than the 148 days for all of 2020, according to the report.
The trend is being fueled, at least partially, by an increase in testing for new applications and legacy applications that have not previously been tested, according to WhiteHat. The number of tested applications has increased by about 10% across the major industry sectors, with two vulnerabilities found on average per site. Companies have expanded testing because recent ransomware attacks have raised business-continuity concerns and because the pandemic has the average company deploying more cloud applications to support remote workers.
"These high-average time-to-fix results contribute to the large window of exposures," the report states, adding that "[f]ocus on reducing average time to fix critical and high severity vulnerabilities is critical to improving the window of exposure and consequently the overall security posture of applications."
The trend is most obvious in the rise of the utility sector to the top of the list — the sector was ranked eighth in January. The rise does not necessarily indicate that the sector is more vulnerable but that companies in the sector are testing more applications, arguably a trend that will improve overall security.
A number of attacks on utilities — most recently, the Colonial Pipeline attack — have companies in that sector testing more of their software, Kulkarni says.
"If you draw a timeline of the increase, it pretty much started as Colonial got hacked, a lot of utilities started increasing the number of applications under test, and we started finding more vulnerabilities," he says. "These are applications that potentially were only tested once before they were deployed."
Finance and insurance companies — an industry sector frequently targeted in the past — have performed much better, but not stellar. Falling 13th on the list of sectors with long windows of exposure, 43% of the sector's applications were always vulnerable, versus 29% of applications that were only vulnerable for 30 days or less.
"These organizations when they find a critical vulnerability, they are able to fix them or mitigate them within 30 days at a much better rate compared to all other industries," Kulkarni says. "They are the cutting edge of adopting technology processes — such as agile and DevOps — and they have more mature application security programs."
The report does not focus on whether original code produced by internal developers or open source components incorporated into the applications are to blame for the vulnerabilities, but a report from Veracode found that 79% of developers do not update open source libraries after including them in a project. Updating the software regularly is important, because almost all (92%) of open source library vulnerabilities can be fixed with an update, the company found.
Another problem is that developers continue to make the same mistakes. The top five classes of vulnerabilities haven't changed over time, with the most common flaws being information leakage, insufficient session expiration, insufficient transport layer protection, cross-site scripting, and content spoofing, according to the report published by WhiteHat Security. The same vulnerability classes topped the list in January as well.