News
WhiteHat Security: 67% of Utility Applications Have Serious Vulnerabilities
May 2021 by WhiteHat Security
WhiteHat Security is publishing their latest installment of the AppSec Stats Flash report and podcast, surveying the current state of the application security and wider threat landscape. This month the company found the Window of Exposure, a key metric indicative of breach exposure, for applications in the Utilities Sector increased from 55% to 67% since the start of the year, making applications in the sector the second most vulnerable behind Public Administration applications. This means that, much like we have already witnessed with Colonial Pipeline Company, at least 67% of Utility Sector applications have at least one serious exploitable vulnerability open throughout the year.
Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, said:
Application security vulnerabilities can cause serious reputational, financial, compliance and operational risk to an organization – which in turn can result in a decline in the quality of service or product they deliver to their end customers. While the recent Colonial Pipeline cyber attack was a ransomware attack, its repercussions are an example of the risks that exist with vulnerable applications as well.
While there are impacts to the organization when an application is breached by threat actors, almost always there is customer/user data at risk. We (the public) entrust some of our most personal information about our health, social security & financial data with these applications. And a breach of any one of these applications puts our (the public’s) data at risk of exposure as well.
Moving forward, organizations need to reduce the risk of being breached via web, mobile and API applications that are running in production serving their clients. To do this, we suggest that organizations start by securing their critical applications by testing them for vulnerabilities in production where the actual risk of being breached is maximum. Once the vulnerabilities on critical systems are known, organizations should immediately mitigate the severe vulnerabilities. This program of testing applications in production and mitigating vulnerabilities in a risk-based manner should then be extended to the next tier of important applications until the entire inventory of applications is covered.
Report Findings:
• Window of Exposure – Key metric that allows organizations to benchmark against their respective industry peers. Window of Exposure for organizations continues to be a worrying sign of breach exposure.
o WoE for Manufacturing decreased from 70% to 63% from over the past 12 months after being the most vulnerable at the start of the year
o WoE for Healthcare improved from 59% at the beginning of the year to 52% last month
o Despite these decreases, the WoE remains high – 63% of all manufacturing apps and 52% of all healthcare apps have at least 1 serious exploitable vulnerability open throughout the year, a worrying sign of breach exposure
o WoE for Utilities Sector increased from 65% last month to 67% this month and from 55% at the beginning of the year, making applications in the sector the second most vulnerable behind Public Administration
• Vulnerability Likelihood By Class - Pedestrian vulnerabilities continue to plague applications. The effort and skill required to discover and exploit these vulnerabilities is fairly low, thus making it easier for the adversary.
o The top-5 vulnerability classes identified in the last 3-mo rolling window remain constant: Information Leakage, Insufficient Session Expiration, Cross Site Scripting, Insufficient Transport Layer Protection & Content Spoofing.
o Over the last 3mo, there is a spike in the number of HTTP Response Splitting vulnerabilities in applications from an average of 1.5 vulnerabilities up to 4.4 vulnerabilities.
• Examining WhiteHat reported vulnerability likelihood vis-a-vis OWASP Top 10
o The OWASP A6-Security Misconfiguration (67%), A3-Sensitive Data Exposure (41%), A5-Broken Access Control (17%) and A2- Broken Authentication (10%) account for 4 of the 5 most likely vulnerability classifications among the OWASP Top 10.
o WhiteHat classifies "Insufficient Session Expiration" as a major cause of A2 - Broken Authentication issues and Insufficient Process Validation issues.
• Time to Fix - Focus on reducing average time to fix critical and high severity vulnerabilities is critical to improving the window of exposure and consequently the overall security posture of applications
o Average time to fix critical vulnerability is 197 days which is the highest it has been this year, contributing to the large window of exposures.
Key Takeaways:
• High Windows of Exposure is a major concern. Utilities sector applications have seen an up-tick in Window of Exposure. This is likely attributable to increased focus on Security in Utilities which has resulted in more applications being tested. Healthcare and Finance sector applications are steadily improving on or maintaining lower Windows of Exposure.
• Time to Fix has also seen a significant up-tick pointing to a growing need to implement targeted campaigns to address the most commonly found vulnerabilities. The most commonly found vulnerabilities list remains constant.
• OWASP Top 10’s A2 - Broken Authentication are a dangerous set of vulnerabilities that can result in undesirable data & functionality exposure. Insufficient Session Expiration is a major vulnerability class within A2 that is also second most likely vulnerability class to occur in applications across the board.
