Even after hearing years of dire warnings about the dangers of critical application vulnerabilities, enterprises are still falling down at the job of prioritizing risk in application security programs. In its 11th annual report on web security statistics, White Hat Security this week showed that it takes months to years for most vulnerabilities to be fixed across all industries and that there's still lots of work to do in fixing the systemic reasons why vulnerabilities are remediated so slowly.
"Despite the growing number of breaches, the state of application security is not improving significantly," says Asma Zubair, director of product management for WhiteHat. "Applications continue to remain vulnerable. About one-third of insurance applications, about 40 percent of banking and financial services applications, about half of healthcare and retail applications, and more than half of manufacturing, food and beverage, and IT applications are always vulnerable."
These statistics are derived from the aggregate data gathered from all of the scanning and remediation work done by WhiteHat in 2015. After crunching the data, it takes an average of 150 days to fix all vulnerabilities, but as Zubair points out, there are a significant number of vulnerabilities that are never fixed, with fewer than half of vulnerabilities being remediated. Additionally, the average time to fix a vulnerability reached a five-year high, after a dip for the previous two years.
Perhaps more troubling, though, is the fact that critical vulnerabilities are not remediated any more quickly than the rest of vulnerabilities, and high-risk vulnerabilities often take the longest of all to fix, with each type aging an average of 300 and 500 days, respectively. As the report notes, this shows that even when faced with limited resources to fix security flaws, organizations are not ranking them based on risk.
"This finding suggests that systematic risk-based prioritization of security vulnerabilities is not being performed," the report says.
When compared to enterprise swiftness in fixing critical software quality flaws, it becomes clear that executives and security practitioners are failing to set or enforce SLAs for fixing the security flaws, WhiteHat's research says, explaining that organizations have to do a better job building security assessments and remediation processes into the software delivery lifecycle.
Without that, attackers will continue to make hay while the sun shines. On the exploitation front, a new study out from Akamai this week shows that in the last fiscal quarter, there was a 25.5% increase of web application attacks, with particularly huge gains in web application attacks over HTTPS, which spiked by nearly 234%. Interestingly, there's also been a huge uptick in SQL injection attacks, with an 87.3% jump in that area.