Software Time-to-Fix Plateaus as More Apps Tested

Software companies and development teams are testing more software, resulting in the discovery of more vulnerabilities and a struggle among security teams and developers to get the issues fixed, new research shows.

NTT Application Security found that a smaller share of vulnerabilities discovered in the average application are being fixed. At the beginning of the year, for example, 54% of critical vulnerabilities found in the average application were remediated, but by the end of June that rate had shrunk to 48%. The trend held across all levels of vulnerability severity, NTT stated in the AppSec Stats Flash report.

While the rate has fallen, much of that is because companies have tested more applications, resulting in a recent surge of vulnerabilities, says Setu Kulkarni, vice president of strategy at NTT Application Security. The influx of vulnerabilities has resulted in a slightly improved average time-to-fix for critical vulnerabilities by three days, to an average of 202 days over the past 12 months, as a greater portion of issues are recent ones, especially for critical industries that have seen recent attacks, such as utilities.

"We expect to see a plateau in the Window of Exposure for utilities," he says. "After the recent high-profile attacks, we have seen a rise in the number of applications in the sector being tested, but mitigation and remediation have not caught up yet."

The report highlights that companies are still struggling to close critical vulnerabilities. Despite significant attacks — including the recent ransomware incident that spread through vulnerabilities in Kaseya's Virtual System Administrator (VSA) software — at least 60% of utilities, private management firms, and public agencies have applications that expose a serious vulnerability every day of the year. Not far behind, a variety of other industries — such as professional and technical services, wholesale trade, retail trade, manufacturing, education, and information services — have 57% or more applications vulnerable every day of the year. All told, NTT's monthly checkup of application security shows 10 industries have a majority of applications vulnerable year-round, a slight improvement over the previous month when 11 industries had a majority-vulnerable status.

Companies should address the issue by focusing on detecting vulnerabilities in production and being ready to respond to mitigate any issues discovered in legacy software, NTT Application Security says. At the same time, developers of new applications — so-called "greenfield" applications — should focus on integrating application security information into the development process.

"Focus[ing] on reducing the time-to-fix for critical and high-severity vulnerabilities is critical to improving the Window of Exposure and, consequently, the overall security posture of applications," the company states in the report.

A variety of strategies can affect the window of exposure and the time-to-fix. Large, monolithic codebases and a significant pre-existing collection of vulnerabilities can dramatically impact the time-to-fix, reducing the average time by 120 days, according to a 2019 study by application security firm Veracode. Applying both static and dynamic testing can reduce the time-to-fix by 24 days, the study found.

The same collection of five vulnerabilities continue to be common. Information leakage, insufficient session expiration, cross-site scripting, insufficient transport layer protection, and content spoofing topped the list of issues found by NTT's scans.

The persistence of those issues underscores that developers are not focused on eliminating the most pernicious vulnerabilities, says NTT Application Security's Kulkarni.

"The fact that the same five vulnerability types continue to feature in the top 5 most-likely vulnerabilities by class over the last six months sheds light on the fact that there is not enough targeted enablement amongst development and security staff to learn about and prioritize the fixing of these commonly found vulnerabilities," he says.

The time required to fix issues depends dramatically on industry, with the agriculture, forestry, fishing, and hunting sector requiring the most time-to-fix issues — 513 days, on average. Education, the second slowest industry in terms of time-to-fix, required 478 days.

Organizations, however, continued to prioritize the most severe vulnerabilities, with critical vulnerabilities fixed the fastest at an average of 203 days. High-severity issues required 246 days, while medium- and low-severity issues required 279 days and 366 days, respectively.

A company's cadence in testing vulnerabilities has some impact on the time-to-fix, but in most cases it is small, Kolkarni says.

"Most of the applications we test have periodic recurring testing enabled. In addition, when an issue is fixed, the developer or security engineer typically initiates a retest of that particular vulnerability," he says.

Increasing the cadence of security testing could speed remediation by 22 days, according to Veracode's study.