Join today’s leading executives online at the Data Summit on March 9th. Register here.
Global organizations continue to struggle against the rising tide of application-specific and web-application attacks. In fact, 50% of all sites were vulnerable to at least one serious exploitable vulnerability throughout 2021, according to a new report by NTT Application Security.
The report is the product of an exhaustive analysis of the data generated from more than 15 million application security scans performed by organizations throughout 2021 — a year that will likely be remembered as one of the most significant for the wider cybersecurity landscape — and aims to provide actionable takeaways for security and development teams responsible for securing the web applications that run their business.
Highlighted by the Colonial Pipeline attack, President Biden’s Executive Order for “improving the nation’s cybersecurity,” and the ongoing Log4j fallout, the events of the past year brought application security to the forefront of all conversations. Despite the elevated push to remediate critical vulnerabilities in both public and private sector applications, there’s evidence that suggests this unintentionally led to an overall negative result, as “fire-drill” remediation initiatives seem to occur as a tradeoff with — rather than an addition to — existing remediation efforts. These events, coupled with the explosive growth in web applications accelerated by the COVID-19 pandemic, as well as the rapid adoption of modern practices that enable developers to rapidly build and deliver valuable functionality, have led the market to an inflection point in how we approach application security testing.
The finance and insurance industry (43%) had the smallest percentage of sites perpetually exposed throughout 2021, while the professional, scientific, and technical services industry (65%) had the largest percentage of sites perpetually exposed.
The average Time-to-Fix a critical vulnerability in 2021 ended 1.7 days shorter than it began (193.1 vs 194.8). While the data point does show a positive trend, the reduction is insignificant when considering the reported increase in Time-to-Fix across all other risk categories throughout the year. The Education industry (523.5 days) had the longest Time-To-Fix a critical vulnerability across all industries — nearly 335 days more than Public Administration (188.6 days), which maintained the shortest timeframe throughout the year.
NTT Application Security found that the vulnerability classes most likely to be detected remained relatively static throughout the year, while also indicating that well-known vulnerability classes plagued applications. Considering that the effort and skill required to discover and exploit these vulnerabilities is fairly low, it’s clear that attackers benefited from a target-rich environment in 2021.
Read the full report by NTT Application Security.