Research: AppSec Still a Major Concern to Most Businesses
July 2021 by NTT
The threat landscape surrounding web, mobile and API-based applications is evolving rapidly. Therefore, there is a critical need for a frequent and periodic analysis of the overall state of application security.
NTT Application Security is releasing 6-month trend findings in its AppSec Stats Flash Vol. 7, reporting on the current state of application security and the wider threat landscape, including Window of Exposure (WoE), Vulnerability by Class, and Time to Fix. Each month, the AppSec Stats Flash reflects on the evolving threat landscape, tracks key AppSec metrics on an ongoing basis and brings forward key actionable takeaways for security and development teams who are responsible for the applications that run their business.
Key trends from the past six months include:
• Applications in the Utilities sector continues to top the chart, with 66% of applications in the industry having at least one serious exploitable vulnerability throughout the year.
• Education, Manufacturing, and Retail and Wholesale Trade applications each saw an increase in WoE this month. The Wholesale Trade sector experienced a 7% increase in the WoE, while Education, Retail Trade and Manufacturing rose by 4% and healthcare rose by 2%.
• The Finance and Insurance sectors improved over last month, reporting a 2% drop in their WoE. Conversely, the Healthcare sector’s WoE increased by 2%.
• The Wholesale Trade sector has seen a 15% increase in WoE, while Utilities has experienced an 11% increase since the beginning of the year.
• Manufacturing, Public Administration and Healthcare are large sectors that have each seen a decline in their respective Window of Exposures, likely due to an increased focus on security following targeted breach activity and/or new regulation(s).
• Window of Exposure
o Wholesale trade as a sector has seen a 15% increase in Window of Exposure, while Utilities as a sector has seen a 11% increase in Window of exposure since the beginning of the year.
o Manufacturing, Public Administration and Healthcare are large sectors that have seen a decline in their respective Window of Exposures, likely due to increased focus as a result of either targeted breach activity and/or new regulation.
• Remediation Rates
o Remediation rates across all vulnerability severities is decreasing.
o Remediation rates for critical vulnerabilities decreased from 54% at the beginning of the year to 48% at the end of June.
o Remediation rates for high vulnerabilities decreased from 50% at the beginning of the year to 38% at the end of June.
• Time to Fix
o Time to Fix (TTF) for all vulnerability severities is increasing.
o Average TTF for critical vulnerabilities increased from 197 days at the beginning of the year to 202 days at the end of June.
o Average TTF for high vulnerabilities increased from 194 days at the beginning of the year to 246 days at the end of June.
• Window of Exposure
o The utilities industry continues to be the most vulnerable with 66% of applications in this industry having at least 1 serious exploitable vulnerability throughout the year.
o Wholesale Trade WoE increased by 7%.
o Education/Retail/Manufacturing WoE increased by 4%.
o Healthcare WoE increased by 2%.
• Vulnerability Likelihood By Class
o HTTP Response Splitting is on the rise. This vulnerability allows attackers to modify the content of a website, tricking the target user into clicking a malicious link or visiting a malicious website.
o Pedestrian vulnerabilities continue to plague applications. The effort and skill required to discover and exploit these vulnerabilities is low, thus making it easier for the adversary.
• Time to Fix
o Time to fix has dropped by 3 days from 205 days to 202 days. While this is a small improvement it is not nearly enough.
o Critical vulnerabilities remain open on average for 202 days.
• Overall, the remediation rate for severe vulnerabilities is on the decline while the average time to fix is on the increase. These two trends contribute to an overall increase in the window of exposure for applications in general.
• The top 5 vulnerability classes by prevalence remain constant - pointing to a systematic failure to address these well-known vulnerabilities.
• The prevalence of HTTP Response Splitting is on the rise. Organizations should pay special attention to upgrading underlying open-source components that contribute to this application vulnerability.