Key app security metrics show little sign of improvement
Most organizations appear to be making little progress in addressing application security issues despite all the heightened concerns around the topic, according to a new study.
The study, by researchers at NTT Application Security, is based on data from some 15 million scans, mostly of Internet-accessible web applications on customer sites through 2021. Last year, the organizations took more than six months (193.1 days), on average, to fix a critical security breach, almost the same time as in 2020 (194.8). For the same time period, organizations also, on average, patched fewer vulnerabilities as a percentage of the overall total.
Data from NTT shows that patch rates for critical vulnerabilities dropped, on average, to 47% in 2021 from 54% in 2020. In other words, organizations left more than half (53%) of vulnerabilities known uncorrected reviews last year. NTT’s study shows even more abysmal rates for less severe flaws – organizations, on average, fixed only 36% of high-severity flaws and 33% of medium-severity bugs in their environments in 2021.
Not surprisingly, half of all sites in NTT’s study had at least one severe exploitable vulnerability throughout 2021. In some industries, a higher percentage of sites had this type of exposure. Fifty-nine percent of sites in retail—one of the most targeted industries—had at least one severe vulnerability throughout 2021. In the utilities industry, 63% of sites were perpetually exposed to attacks last year due to at least one exploitable vulnerability. ; in the professional, scientific and technical services sector, the number was even higher, at 65%.
“Simply put, most of these steps are going in the wrong direction,” says Zach Jones, senior director of detection research at NTT Application Security. Application vulnerability patch rates and the time organizations took, on average, last year to fix vulnerabilities remained well below the desired goals that security teams often try to achieve, he says. .
“For example, most teams aim to patch critical vulnerabilities found in their applications within 30 days,” Jones says. “However, when we look at our data, we see that it takes an average of 193 days to fix a critical vulnerability.”
There can be several reasons why organizations struggle to improve critical metrics around application security, such as time to repair, fix rates, and overall exposure window. But a common theme is software development teams’ continued focus on prioritizing new application features and functionality over security, Jones says.
Several security experts have noted how the accelerated adoption of digital-first initiatives in many organizations following the COVID-19 pandemic has only exacerbated the trend over the past two years.
“AppSec teams outnumber 100 to 1,” says Mark Lambert, vice president of product at ArmorCode. Development and security teams also continue to be siled and disconnected, he says.
“This results in builds that release fast and furiously with known vulnerabilities,” says Lambert. “When new vulnerabilities are identified, teams must scramble to respond.”
Kevin Dunne, president of Pathlock, identifies another problem: the continued growth in discoveries of vulnerabilities in application code.
“The number of vulnerabilities continues to grow, as hackers become more active and more critical systems and sites move to the public web,” he says, adding that many companies are struggling to cope with a backlog of vulnerabilities that need to be fixed.
NTT’s data also suggests that public and media attention may have influenced vulnerability patching decisions at least to some extent last year. Organizations, for example, took 193.1 days on average to fix critical flaws in 2021, which, while not much better than the 194.8 days it took in 2020, was still 1.7 days. faster. At the same time, time-to-repair rates for other less serious defects moved in the opposite direction last year.
On average, organizations took longer to fix high, medium, and low severity flaws in 2021 than in 2020.
These are the kinds of results that show up when application security teams focus more on one class of flaws than others, Jones says. “The data suggests that a decrease in the time needed to fix a critical vulnerability often correlates with an increase in the time needed to fix less serious, though still serious, vulnerabilities,” he said.
The most common class of vulnerability in web application environments last included data leaks, insufficient transport layer protection, cross-site scripting, cross-site tampering, content spoofing, and insufficient permissions .