theDocumentId => 1341356 Majority of Web Apps in 11 Industries Are ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/22/2021
12:55 PM
50%
50%

Majority of Web Apps in 11 Industries Are Vulnerable All the Time

Serious vulnerabilities exist every day in certain industries, including utilities, public administration, and professional services, according to testing data.

Two-thirds of the applications deployed by the utility sector and 63% of those deployed by public administration organizations have a serious vulnerability undermining security every day of the year, according to a report published by WhiteHat Security on June 22. 

Related Content:

Speed of Digital Transformation May Lead to Greater App Vulnerabilities

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

Overall, 11 industries saw a serious vulnerability in at least half of their applications every day for the last year. The top three industries on the list — utilities, public administration, and professional services — take at least 288 days on average to fix vulnerabilities, according to the company's monthly AppSec Stats Flash report for June.

The slow patching cadence happens because, in many cases, there is a long tail of legacy applications that do not have an active development team working on them, says Setu Kulkarni, vice president of strategy at WhiteHat Security.

"Once you find the vulnerability, fixing that vulnerability is not a trivial process because you have to find the right development team, and in many cases, that development team is long gone," he says. "Some of the applications that we use every day are the ones that have been in production for the longest time."

Overall, the time required to fix critical vulnerabilities averaged 205 days for issues fixed in the past three months, up from 194 days in WhiteHat's January report and significantly higher than the 148 days for all of 2020, according to the report. 

The trend is being fueled, at least partially, by an increase in testing for new applications and legacy applications that have not previously been tested, according to WhiteHat. The number of tested applications has increased by about 10% across the major industry sectors, with two vulnerabilities found on average per site. Companies have expanded testing because recent ransomware attacks have raised business-continuity concerns and because the pandemic has the average company deploying more cloud applications to support remote workers. 

"These high-average time-to-fix results contribute to the large window of exposures," the report states, adding that "[f]ocus on reducing average time to fix critical and high severity vulnerabilities is critical to improving the window of exposure and consequently the overall security posture of applications."

The trend is most obvious in the rise of the utility sector to the top of the list — the sector was ranked eighth in January. The rise does not necessarily indicate that the sector is more vulnerable but that companies in the sector are testing more applications, arguably a trend that will improve overall security.

A number of attacks on utilities — most recently, the Colonial Pipeline attack — have companies in that sector testing more of their software, Kulkarni says.

"If you draw a timeline of the increase, it pretty much started as Colonial got hacked, a lot of utilities started increasing the number of applications under test, and we started finding more vulnerabilities," he says. "These are applications that potentially were only tested once before they were deployed."

Finance and insurance companies — an industry sector frequently targeted in the past — have performed much better, but not stellar. Falling 13th on the list of sectors with long windows of exposure, 43% of the sector's applications were always vulnerable, versus 29% of applications that were only vulnerable for 30 days or less. 

"These organizations when they find a critical vulnerability, they are able to fix them or mitigate them within 30 days at a much better rate compared to all other industries," Kulkarni says. "They are the cutting edge of adopting technology processes — such as agile and DevOps — and they have more mature application security programs."

The report does not focus on whether original code produced by internal developers or open source components incorporated into the applications are to blame for the vulnerabilities, but a report from Veracode found that 79% of developers do not update open source libraries after including them in a project. Updating the software regularly is important, because almost all (92%) of open source library vulnerabilities can be fixed with an update, the company found.

Another problem is that developers continue to make the same mistakes. The top five classes of vulnerabilities haven't changed over time, with the most common flaws being information leakage, insufficient session expiration, insufficient transport layer protection, cross-site scripting, and content spoofing, according to the report published by WhiteHat Security. The same vulnerability classes topped the list in January as well.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32790
PUBLISHED: 2021-07-26
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoi...
CVE-2021-32791
PUBLISHED: 2021-07-26
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV ...
CVE-2021-32792
PUBLISHED: 2021-07-26
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePos...
CVE-2021-25801
PUBLISHED: 2021-07-26
A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.
CVE-2021-25802
PUBLISHED: 2021-07-26
A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.