WhiteHat Security: Few of the Web Apps Carry Vulnerabilities


According to a survey published by WhiteHat Security on 22nd June 2021, two-thirds of apps in the utility sector and 63 percent of them that are deployed by the public sector are severely vulnerable, compromising security every day. 

In total, the majority of the applications, of around eleven industries experienced serious vulnerability each day throughout the last year. According to the company's monthly AppSec Stats Flash analysis for June, the top three businesses on the list are  – utilities, public administration, and professional services  – these require at least 288 days on average to address vulnerabilities. 

The sluggish patching rate is because there is a wide range of legacy apps in many situations that don't have an active development team working on them, notes Vice President of Strategy at WhiteHat Security, Setu Kulkarni. 

"Once you find the vulnerability, fixing that vulnerability is not a trivial process because you have to find the right development team, and in many cases, that development team is long gone," he says. "Some of the applications that we use every day are the ones that have been in production for the longest time." 

In total it was 205 days on aggregate for issues resolved over the last 3 months for serious vulnerabilities, up from 194 days in WhiteHat's report published in January and substantially exceeding 148 days for the entire 2020 period, as per the report. 

The trend is partially driven by an increasing amount of testing for new apps and old programs which, according to WhiteHat, have not previously been tested. In the key industries, the number of apps assessed has grown by around 10%, with almost two vulnerabilities detected per site. 

"These high-average time-to-fix results contribute to the large window of exposures," the report states, adding that "[f]ocus on reducing the average time to fix critical and high severity vulnerabilities is critical to improving the window of exposure and consequently the overall security posture of applications." 

The trend in the increase of the utility sector at the top of the list is most evident –in January it was placed at seventh. The increase doesn't necessarily suggest that the sector is vulnerable, but that more apps are being tested by enterprises throughout the sector, which is likely to improve overall safety. 

The financial and insurance companies – an industry often targeted in the past – have achieved far better results, but not exceptional. In the 13th place on the list of long-window exposure industries, 43 percent of the applications in this area were always vulnerable, compared to 29 percent that were vulnerable for only 30 days or less. 

According to the report published by WhiteHat Security, the five most important vulnerabilities that haven't changed over time are, information leakage, insufficient session expiry, insufficient transport layer protection, cross-site scripting, and content spoofing. These are the most common faults.