As Time to Fix Flaws Ticks Up, Mitigation Efforts Fall Short

Each month in 2021, NTT Application Security has been tracking the state of application security and the threat landscape, paying particular attention to the window of exposure (WoE), vulnerability by class and time to fix.

Now, six months of data from its AppSec Stats Flash report show that the utilities sector remains riddled with flaws and vulnerabilities–66% of apps in the industry were found to have at least one serious, exploitable flaw so far this year.

In the last month alone, the window of exposure yawned wider in the education, manufacturing and retail and wholesale trade applications sector; the latter’s WoE increased by 7% while the WoE in health care rose by 2% and the other three groups by 4%. Since the beginning of the year 2021, WoE in the wholesale trade sector ticked up by 15% while utilities saw an 11% increase during those six months.

Both utilities and wholesale trade “are being forced to transform their applications for newer B2B and B2C use cases. Consequently, they are testing their applications at an increased rate while the applications themselves are being put through relatively low-maturity software life cycles,” said Setu Kulkarni, vice president, strategy, NTT Application Security. “Both of these factors combined are contributing to the detection of more vulnerabilities in applications that have not been developed through a mature, secure SDLC.”

But, “at the same time, not enough is being done to mitigate or remediate these vulnerabilities at a scale where the mitigation efforts would match the detection rates,” Kulkarni said. “We expect that, much like the manufacturing sector, we should see mitigation efforts catch up with detection rate and thus positively impact the WoE trend. However, that remains to be seen.”

The news wasn’t all bad, though. Both finance and insurance saw their WoE decline by 2% in June 2021. And it does seem that the increased focus on security in the wake of a number of targeted breaches, and after new regulations were proposed, has paid off for the manufacturing, public administration and health care sectors, which saw declines in WoEs, according to the NTT report released today.

“Health care WoE has seen a 7% improvement from the beginning of the year. Finance and insurance remained relatively flat within a small range of 2%,” said Kulkarni. “Both these sectors perform better than the rest of the industry owing to both the maturity of their application life cycle practices and the regulatory compliance mandates on these industries.”

But WoEs don’t tell the whole story. Remediation rates declined across all vulnerabilities and severities and for the critical vulnerabilities, the downturn was to 48% at the end of June, down from 54% since the beginning of the year. For high vulnerabilities, remediation decreased from the 50% recorded at the beginning of the year to 38% by June’s end.

NTT researchers noted that among vulnerabilities, HTTP response splitting is on the upswing. Attackers can exploit these flaws to modify a website’s content, then trick users into clicking malicious links or visit a malicious site. Pedestrian vulnerabilities, too, continue to be the scourge of applications and are easy for bad actors to find and exploit.

“The fact that the same five vulnerability types continue to feature in the top five most likely vulnerabilities by class over the past six months sheds light on the fact that there is not enough targeted enablement amongst development and security staff to learn about and prioritize the fixing of these commonly found vulnerabilities,” said Kulkarni.

Organizations are clearly struggling to fix flaws in a timely manner, with time to fix (TTF) metrics for vulnerabilities of all severities increasing, the report showed. In fact, on average, by the end of June, TTF rose to 202 days from the 197 days recorded at the beginning of the year. For high vulnerabilities, the TTF rose from 194 days when the year began to 246 by the end of June.

“There is clearly a mismatch in the level of investment, including the time and resources, required to secure the rapidly expanding and evolving application estates organizations have today,” said Kulkarni. “In addition, there is also a skill level and prioritization gap that must be addressed.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson