According to a new report from WhiteHat Security, the average time to remediate critical cybersecurity vulnerabilities fell from 197 days in April 2021 to 205 days in May 2021.
In its AppSec Stats Flash report, WhiteHat Security researchers find that public sector organizations are most exposed to vulnerabilities in their applications.
According to the report, more than 66% of all applications used by public sector organizations had at least one exploitable vulnerability open throughout the year. Setu Kulkarni, vice president of WhiteHat Security, said more than 60% of applications in the manufacturing industry also have an exposure window of more than 365 days.
“Finance has a much more balanced exposure perspective”
“At the same time, a very small number of applications have an exposure window of less than 30 days, which means that applications for which serious exploitable vulnerabilities are fixed in less than a month,” explains Setu Kulkarni, noting that the finance and insurance sectors are doing a better job of patching vulnerabilities.
“Finance has a much more balanced outlook window. About 40% of applications have a 365-day Windows of Exposure (WoE), but about 30% have a WoE of less than 30 days. “
According to Setu Kulkarni, the company has decided to switch from an annual publication of the report to a monthly publication due to the sheer number of new applications developed, modified and deployed, especially since the start of the Covid-19 pandemic. The threat landscape has also evolved and expanded alongside the explosion in application development.
“We consider the window of exposure by sector as an indicator measure of exposure to violation”
Setu Kulkarni notes that the situation has highlighted the lack of cybersecurity talent that most organizations have and the general lack of resources for many industries that are struggling to manage updates and fixes for hundreds. applications.
“We view the window of exposure by sector as an indicator measure of exposure to violation. When you look at industries like utilities or manufacturing that have been lagging behind in the digital transformation compared to finance and healthcare, we find that they have window of exposure data in a complete imbalance ” , Setu Kulkarni tells .
“The main conclusion to be drawn from this data is that organizations that are able to tailor their AppSec program to meet the needs of old and new applications are much more successful in balancing the window of exposure of their applications. This is what I call the two-tier AppSec: focusing on testing and production mitigation measures for legacy applications; focus on production and pre-production testing and balance mitigation and remediation measures for new applications. “
“Safety is a team sport”
Today, every application is connected to the internet, directly or indirectly, adds Setu Kulkarni, explaining that this means that the impact of vulnerabilities can potentially affect hundreds of thousands of end users, if not millions.
Setu Kulkarni suggests that organizations divide the responsibility for security more widely among all stakeholders, beyond just security and IT teams, who often lack the budget or resources to manage security meticulously.
“Security is a team sport and for a long time a disproportionate amount of responsibility has been placed on the security and IT teams. “
“Development teams are pressed for time and are unable to take several hours of one-off security training. A better approach is for security teams to identify the top one to three vulnerabilities that tend to appear in the applications they test and provide development teams with small training focused on those vulnerabilities. “