Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

End of Bibblio RCM includes -->

Majority of Web Apps in 11 Industries Are Vulnerable All the Time

Serious vulnerabilities exist every day in certain industries, including utilities, public administration, and professional services, according to testing data.

Two-thirds of the applications deployed by the utility sector and 63% of those deployed by public administration organizations have a serious vulnerability undermining security every day of the year, according to a report published by WhiteHat Security on June 22. 

Related Content:

Speed of Digital Transformation May Lead to Greater App Vulnerabilities

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

Overall, 11 industries saw a serious vulnerability in at least half of their applications every day for the last year. The top three industries on the list — utilities, public administration, and professional services — take at least 288 days on average to fix vulnerabilities, according to the company's monthly AppSec Stats Flash report for June.

The slow patching cadence happens because, in many cases, there is a long tail of legacy applications that do not have an active development team working on them, says Setu Kulkarni, vice president of strategy at WhiteHat Security.

"Once you find the vulnerability, fixing that vulnerability is not a trivial process because you have to find the right development team, and in many cases, that development team is long gone," he says. "Some of the applications that we use every day are the ones that have been in production for the longest time."

Overall, the time required to fix critical vulnerabilities averaged 205 days for issues fixed in the past three months, up from 194 days in WhiteHat's January report and significantly higher than the 148 days for all of 2020, according to the report. 

The trend is being fueled, at least partially, by an increase in testing for new applications and legacy applications that have not previously been tested, according to WhiteHat. The number of tested applications has increased by about 10% across the major industry sectors, with two vulnerabilities found on average per site. Companies have expanded testing because recent ransomware attacks have raised business-continuity concerns and because the pandemic has the average company deploying more cloud applications to support remote workers. 

"These high-average time-to-fix results contribute to the large window of exposures," the report states, adding that "[f]ocus on reducing average time to fix critical and high severity vulnerabilities is critical to improving the window of exposure and consequently the overall security posture of applications."

The trend is most obvious in the rise of the utility sector to the top of the list — the sector was ranked eighth in January. The rise does not necessarily indicate that the sector is more vulnerable but that companies in the sector are testing more applications, arguably a trend that will improve overall security.

A number of attacks on utilities — most recently, the Colonial Pipeline attack — have companies in that sector testing more of their software, Kulkarni says.

"If you draw a timeline of the increase, it pretty much started as Colonial got hacked, a lot of utilities started increasing the number of applications under test, and we started finding more vulnerabilities," he says. "These are applications that potentially were only tested once before they were deployed."

Finance and insurance companies — an industry sector frequently targeted in the past — have performed much better, but not stellar. Falling 13th on the list of sectors with long windows of exposure, 43% of the sector's applications were always vulnerable, versus 29% of applications that were only vulnerable for 30 days or less. 

"These organizations when they find a critical vulnerability, they are able to fix them or mitigate them within 30 days at a much better rate compared to all other industries," Kulkarni says. "They are the cutting edge of adopting technology processes — such as agile and DevOps — and they have more mature application security programs."

The report does not focus on whether original code produced by internal developers or open source components incorporated into the applications are to blame for the vulnerabilities, but a report from Veracode found that 79% of developers do not update open source libraries after including them in a project. Updating the software regularly is important, because almost all (92%) of open source library vulnerabilities can be fixed with an update, the company found.

Another problem is that developers continue to make the same mistakes. The top five classes of vulnerabilities haven't changed over time, with the most common flaws being information leakage, insufficient session expiration, insufficient transport layer protection, cross-site scripting, and content spoofing, according to the report published by WhiteHat Security. The same vulnerability classes topped the list in January as well.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-30
A directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
PUBLISHED: 2023-01-30
An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
PUBLISHED: 2023-01-30
A CWE-787: Out-of-bounds Write vulnerability exists that could cause sensitive information leakage when accessing a malicious web page from the commissioning software. Affected Products: SoMachine HVAC(V2.1.0 and prior), EcoStruxure Machine Expert – HVAC(V1.4.0 and prior).
PUBLISHED: 2023-01-30
Use after free in WebTransport in Google Chrome prior to 109.0.5414.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
PUBLISHED: 2023-01-30
Use after free in WebRTC in Google Chrome prior to 109.0.5414.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)