Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

6/7/2016
06:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Enterprises Still Don't Base Vuln Remediation On Risk

New White Hat study shows critical vulnerabilities aren't fixed any faster than other security flaws.

Even after hearing years of dire warnings about the dangers of critical application vulnerabilities, enterprises are still falling down at the job of prioritizing risk in application security programs. In its 11th annual report on web security statistics, White Hat Security this week showed that it takes months to years for most vulnerabilities to be fixed across all industries and that there's still lots of work to do in fixing the systemic reasons why vulnerabilities are remediated so slowly. 

"Despite the growing number of breaches, the state of application security is not improving significantly," says Asma Zubair, director of product management for WhiteHat. "Applications continue to remain vulnerable. About one-third of insurance applications, about 40 percent of banking and financial services applications, about half of healthcare and retail applications, and more than half of manufacturing, food and beverage, and IT applications are always vulnerable."

These statistics are derived from the aggregate data gathered from all of the scanning and remediation work done by WhiteHat in 2015. After crunching the data, it takes an average of 150 days to fix all vulnerabilities, but as Zubair points out, there are a significant number of vulnerabilities that are never fixed, with fewer than half of vulnerabilities being remediated. Additionally, the average time to fix a vulnerability reached a five-year high, after a dip for the previous two years.

Perhaps more troubling, though, is the fact that critical vulnerabilities are not remediated any more quickly than the rest of vulnerabilities, and high-risk vulnerabilities often take the longest of all to fix, with each type aging an average of 300 and 500 days, respectively. As the report notes, this shows that even when faced with limited resources to fix security flaws, organizations are not ranking them based on risk. 

"This finding suggests that systematic risk-based prioritization of security vulnerabilities is not being performed," the report says.

When compared to enterprise swiftness in fixing critical software quality flaws, it becomes clear that executives and security practitioners are failing to set or enforce SLAs for fixing the security flaws, WhiteHat's research says, explaining that organizations have to do a better job building security assessments and remediation processes into the software delivery lifecycle. 

Without that, attackers will continue to make hay while the sun shines. On the exploitation front, a new study out from Akamai this week shows that in the last fiscal quarter, there was a 25.5% increase of web application attacks, with particularly huge gains in web application attacks over HTTPS, which spiked by nearly 234%. Interestingly, there's also been a huge uptick in SQL injection attacks, with an 87.3% jump in that area.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KateOrnelas12
100%
0%
KateOrnelas12,
User Rank: Apprentice
6/8/2016 | 7:17:21 AM
awesome
it is great that we have blogs like yours, so I do not have to go to google to find the info I need.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20288
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...
CVE-2021-31229
PUBLISHED: 2021-04-15
An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_internal_dtd() performs incorrect memory handling while parsing crafted XML files, which leads to an out-of-bounds write of a one byte constant.
CVE-2021-28548
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
CVE-2021-28549
PUBLISHED: 2021-04-15
Adobe Photoshop versions 21.2.6 (and earlier) and 22.3 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted JSX file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploi...
CVE-2021-30209
PUBLISHED: 2021-04-15
Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.