Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

06:30 PM
Connect Directly

Enterprises Still Don't Base Vuln Remediation On Risk

New White Hat study shows critical vulnerabilities aren't fixed any faster than other security flaws.

Even after hearing years of dire warnings about the dangers of critical application vulnerabilities, enterprises are still falling down at the job of prioritizing risk in application security programs. In its 11th annual report on web security statistics, White Hat Security this week showed that it takes months to years for most vulnerabilities to be fixed across all industries and that there's still lots of work to do in fixing the systemic reasons why vulnerabilities are remediated so slowly. 

"Despite the growing number of breaches, the state of application security is not improving significantly," says Asma Zubair, director of product management for WhiteHat. "Applications continue to remain vulnerable. About one-third of insurance applications, about 40 percent of banking and financial services applications, about half of healthcare and retail applications, and more than half of manufacturing, food and beverage, and IT applications are always vulnerable."

These statistics are derived from the aggregate data gathered from all of the scanning and remediation work done by WhiteHat in 2015. After crunching the data, it takes an average of 150 days to fix all vulnerabilities, but as Zubair points out, there are a significant number of vulnerabilities that are never fixed, with fewer than half of vulnerabilities being remediated. Additionally, the average time to fix a vulnerability reached a five-year high, after a dip for the previous two years.

Perhaps more troubling, though, is the fact that critical vulnerabilities are not remediated any more quickly than the rest of vulnerabilities, and high-risk vulnerabilities often take the longest of all to fix, with each type aging an average of 300 and 500 days, respectively. As the report notes, this shows that even when faced with limited resources to fix security flaws, organizations are not ranking them based on risk. 

"This finding suggests that systematic risk-based prioritization of security vulnerabilities is not being performed," the report says.

When compared to enterprise swiftness in fixing critical software quality flaws, it becomes clear that executives and security practitioners are failing to set or enforce SLAs for fixing the security flaws, WhiteHat's research says, explaining that organizations have to do a better job building security assessments and remediation processes into the software delivery lifecycle. 

Without that, attackers will continue to make hay while the sun shines. On the exploitation front, a new study out from Akamai this week shows that in the last fiscal quarter, there was a 25.5% increase of web application attacks, with particularly huge gains in web application attacks over HTTPS, which spiked by nearly 234%. Interestingly, there's also been a huge uptick in SQL injection attacks, with an 87.3% jump in that area.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/8/2016 | 7:17:21 AM
it is great that we have blogs like yours, so I do not have to go to google to find the info I need.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.