Severe vulnerabilities in appsec environments taking longer to fix - NTT Security
The average time to remediate the most severe vulnerabilities in an organisation’s IT infrastructure has now reached 256 days.
That is just one of the findings from NTT Application Security’s AppSec Stats Flack Vol. 8, which explores the current state of application security and in other environments.
According to the report’s front page, ‘hackers have it easy’. The report also details that some industries such as retail and utilities have larger windows of exposure - i.e. longer timeframes in which an application with a serious vulnerability can be exploited to cause a data breach.
Applications in the utility sector have a high window of exposure, with 67% of applications having at least one serious and exploitable vulnerability. In retail, the report predicts an increase in exploits as transactions across the web and mobile ramp up towards the shopping season.
The construction industry takes just 33.6 days to fix vulnerabilities, while finance and insurance can take up to 86.3 days, and the information sector takes 336.5 days. Educational services and agriculture, forestry and fisheries both take more than 500 days to fix a vulnerability. The report also breaks down average remediation times based on several other industries such as healthcare, wholesale trade, and real estate.
“Focus on reducing the average time to fix critical and high severity vulnerabilities to improve the window of exposure and consequently the overall security posture of applications,” the report recommends.
The top 5 most likely vulnerability classes are identified as information leakage, insufficient session expiration, cross-site scripting, insufficient transport layer protection, and content spoofing.
“Pedestrian vulnerabilities continue to plague applications. The effort and skill required to discover and exploit these vulnerabilities are relatively low, thus making it easier for the adversary. We recommend that organisations track their top 5 vulnerabilities and implement a campaign to educate their software teams about the top 5 vulnerabilities to systematically eradicate these vulnerabilities from their applications.”
The report also examines the likelihood that a vulnerability from the OWASP Top 10 could be exploited. There is a 67.88% chance that a security misconfiguration could be exploited and a 41.12% chance of sensitive data exposure. Moving down the list, there is a 16.57% chance that broken access control is exploited, an 11.52% chance of a broken authentication exploit, and a 1.76% chance of an injection. There is a 0.01% chance of XML external entities being exploited.
The report notes, Focusing on education, detection, and mitigation w.r.t simple XSS vulnerabilities is the first step towards eliminating a significant proportion of XSS vulnerabilities from your applications.
“Where possible, leverage template engines and web application development frameworks that are hardened to prevent XSS vulnerabilities.
“Implement contextual output encoding as a best practice to avoid XSS vulnerabilities.