Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

06:30 PM
Connect Directly

Enterprises Still Don't Base Vuln Remediation On Risk

New White Hat study shows critical vulnerabilities aren't fixed any faster than other security flaws.

Even after hearing years of dire warnings about the dangers of critical application vulnerabilities, enterprises are still falling down at the job of prioritizing risk in application security programs. In its 11th annual report on web security statistics, White Hat Security this week showed that it takes months to years for most vulnerabilities to be fixed across all industries and that there's still lots of work to do in fixing the systemic reasons why vulnerabilities are remediated so slowly. 

"Despite the growing number of breaches, the state of application security is not improving significantly," says Asma Zubair, director of product management for WhiteHat. "Applications continue to remain vulnerable. About one-third of insurance applications, about 40 percent of banking and financial services applications, about half of healthcare and retail applications, and more than half of manufacturing, food and beverage, and IT applications are always vulnerable."

These statistics are derived from the aggregate data gathered from all of the scanning and remediation work done by WhiteHat in 2015. After crunching the data, it takes an average of 150 days to fix all vulnerabilities, but as Zubair points out, there are a significant number of vulnerabilities that are never fixed, with fewer than half of vulnerabilities being remediated. Additionally, the average time to fix a vulnerability reached a five-year high, after a dip for the previous two years.

Perhaps more troubling, though, is the fact that critical vulnerabilities are not remediated any more quickly than the rest of vulnerabilities, and high-risk vulnerabilities often take the longest of all to fix, with each type aging an average of 300 and 500 days, respectively. As the report notes, this shows that even when faced with limited resources to fix security flaws, organizations are not ranking them based on risk. 

"This finding suggests that systematic risk-based prioritization of security vulnerabilities is not being performed," the report says.

When compared to enterprise swiftness in fixing critical software quality flaws, it becomes clear that executives and security practitioners are failing to set or enforce SLAs for fixing the security flaws, WhiteHat's research says, explaining that organizations have to do a better job building security assessments and remediation processes into the software delivery lifecycle. 

Without that, attackers will continue to make hay while the sun shines. On the exploitation front, a new study out from Akamai this week shows that in the last fiscal quarter, there was a 25.5% increase of web application attacks, with particularly huge gains in web application attacks over HTTPS, which spiked by nearly 234%. Interestingly, there's also been a huge uptick in SQL injection attacks, with an 87.3% jump in that area.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/8/2016 | 7:17:21 AM
it is great that we have blogs like yours, so I do not have to go to google to find the info I need.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.
PUBLISHED: 2019-11-15
On version 14.0.0-, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.
PUBLISHED: 2019-11-15
On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service.
PUBLISHED: 2019-11-15
When the BIG-IP APM 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-, 12.1.0-, or 11.5.1-11.6.5 system processes certain requests, the APD/APMD daemon may consume excessive resources.