Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:35 PM
Connect Directly

Organizations Continue to Struggle With App Vulns

A high percentage of discovered bugs remain unremediated for a long time, a new study shows.

Chances are high that almost every single application an organization uses has at least one security vulnerability in it.

Contrast Security recently analyzed telemetry gathered between June 2019 and May 2020 from applications in development, testing, and operations at customer locations. The exercise found 96% of applications contained at least one security bug — more than one-quarter of them serious. Eleven percent of the applications analyzed had six or more serious vulnerabilities.

As usual, cross-site scripting errors, broken access control, and SQL injection errors topped the list of serious vulnerabilities that Contrast's researchers encountered. More than seven in 10 (72%) had insecure configuration vulnerabilities and 64% were vulnerable to sensitive data exposure.

Contrast's research shows attackers are relentlessly probing for these vulnerabilities to try and break into applications. The company counted over 13,000 attacks per month on average against individual applications — 98% of which were just probes that did not hit an existing vulnerability. Contrast counted a sharp increase — 179% over the previous year — in attacks targeting command injection vulnerabilities in particular. Though such flaws are rare, they are easy to scan for and allow attackers to take complete control of a web application server, says Jeff Williams, co-founder and CTO at Contrast Security.

"Enterprises need to recognize that their applications are both vulnerable and [under] attack," Williams says. "The data shows that attackers are persistent and use smart strategy by targeting the most prevalent vulnerabilities, with a special focus on vulnerabilities with the most critical impact."

Much of the attack traffic is generated by automated tools and, fortunately, never connects with the corresponding vulnerability.

"[They are] like rocks thrown at a building that don't hit a window," he says.

Contrast found many organizations are continuing to struggle with vulnerability remediation. The mean time to remediate a flaw was 67 days for all vulnerabilities and 36 days for the serious ones. The company found 50% of vulnerabilities are remediated in seven days and 62% of the serious ones in just three days.

But the time organizations are taking to address the remaining flaws tended to be much longer. In fact, Contrast found that if an organization did not remediate a discovered vulnerability within the first 30 days, the vulnerability tended to remain unresolved even after 90 days. In fact, even 65% of the serious flaws that were not remediated expeditiously tended to remain unremediated after 90 days heightening risk for organizations.

"Once a vulnerability survives that first 30 days, it's more likely to get put into a backlog," Williams says.

Someone might choose not to immediately remediate a flaw because they have another mitigating control in place. "But sometimes vulnerabilities are simply ignored by development teams and remain unfixed for long periods of time," Williams notes.

How to Prioritize Remediation
Joseph Feiman, chief strategy officer at WhiteHat Security, cites other reasons, as well, for organizations to drag their feet on vulnerability remediation.

"If the application security testing tool is not accurate and produces too many false positives, it will take too much time for developers to figure out which ones to prioritize," he says.

Feiman says the way organizations should prioritize their remediation efforts is to consider the severity of a disclosed flaw, determine how critical the vulnerable application is to the business, and determine how hard it is for a hacker to detect and exploit the issue.

Several organizations have severity-based vulnerability management policies and procedures in place that dictate the speed at which issues are remediated, says David Faraone, director and virtual CISO at the Crypsis Group.

"For example, a policy statement may state that for any vulnerability with a CVSS score of 9.0 or higher, organizations have an emergency procedure in place to patch 100% of these identified matters within 24 hours," he says.

Others might have higher risk thresholds based on the type of asset or system that is impacted. 

"For example, an organization's vulnerability management goal may have a target of patching 90% of all servers within two weeks of identifying the vulnerability impacting that system category, Faraone adds.

Ultimately, it is the maturity of the security team that determines how well, or not, an organization is at vulnerability remediation, Faraone says.

"An often overlooked precursor to managing critical risks is having a formal cyber-risk management program in a place that is supported by senior leadership," he says.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight Transaction...
PUBLISHED: 2020-10-20
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking ...
PUBLISHED: 2020-10-20
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
PUBLISHED: 2020-10-20
DomainMOD before 4.14.0 uses MD5 without a salt for password storage.
PUBLISHED: 2020-10-20
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a ...