With all the talk about the ongoing menace of ransomware, it’s easy to overlook application-specific attacks. But new research from WhiteHat Security shows that there might just be a greater likelihood of the latter.
Most troubling in the latest installment of the company’s AppSec Stats Flash report are the increased window of exposure for apps in the utilities sector—up from 55% to 67%—and the average time to fix a critical vulnerability, which, at 197 days, is at an all-time high for the year to date.
Neither bodes well in a post-Colonial Pipeline world, where a devastating ransomware attack led to the shutdown of a major pipeline and prompted the Department of Homeland Security (DHS) and Transportation Security Administration (TSA) to issue a cybersecurity directive for the oil and gas industry. The order requires, among other things, mandatory breach reporting.
The window of exposure figure indicates that at least 67% of apps in the utility sector sport at least one serious, exploitable vulnerability throughout the year, according to Setu Kulkarni, vice president of strategy at WhiteHat.
Noting that WhiteHat has “seen an increase in the number of requests to test applications in the utilities industry,” Kulkarni said. “The increase in the number of applications being tested is resulting in a high window of exposure,” he added. The company intends to continue tracking that data point, he said, “since the vulnerabilities that are found should be addressed rapidly and reduce the window of exposure for these apps.”
While health care and finance sector applications have seen declining or steady windows of exposure, the numbers overall are not low. “While we see the window of exposure data getting better for health care and financial applications, the overall state of affairs is concerning. The average window of exposure for applications across all industries still remains in the 40% to 50% range – meaning 40% to 50% percent of the applications we use have exploitable vulnerabilities,” said Kulkarni.
The window of exposure is a key metric that indicates breach exposure, and WhiteHat says it’s worrisome that the numbers remain so high. Likewise, the time it takes to fix critical and high-severity vulnerabilities must go down if organizations want to improve the window of exposure and bolster their security postures. “Organizations need to reduce the risk of being breached via web, mobile and API applications that are running in production serving their clients,” said Kulkarni.
He suggests organizations “start by securing their critical applications by testing them for vulnerabilities in production where the actual risk of being breached is maximum.” Once the vulnerabilities are identified, the most severe should be mitigated first. “This program of testing applications in production and mitigating vulnerabilities in a risk-based manner should then be extended to the next tier of important applications until the entire inventory of applications is covered,” Kulkarni explained.
Also, he recommends organizations look at the most prevalent vulnerability types in its application landscape, then “deploy targeted training programs to help their software teams identify and fix these vulnerabilities quickly and, in many cases, proactively.”
Among the other findings: The top five vulnerability classes—information leakage, insufficient session expiration, cross-site scripting, insufficient transport layer protection and content spoofing—remained the same during the last three-month rolling window. In the same time period, HTTP response splitting flaws in apps rose from an average of 1.5 to 4.4 vulnerabilities. Those data points, WhiteHat said, mean that applications continue to be beset by “pedestrian vulnerabilities” that take very little skill and effort for attackers to find and exploit. And that’s a lot like leaving the back bedroom window cracked while burglars lurk in the yard.