Contents:
On average, the time required to mend severe cybersecurity vulnerabilities has increased from 197 days in April 2021 to 205 days in May 2021, a recent study conducted by the WhiteHat Security team shows.
WhiteHat Security analysts noticed that companies operating in the utility sector had the highest exposure window with their application bugs.
For example, in January 2021, a threat actor attempted to poison a water treatment plant that served parts of the San Francisco Bay Area, followed by a cyberattack at a water treatment plant in Oldsmar, Florida where someone managed to remotely access systems and add a dangerous amount of chemicals to the town’s water supply.
Unfortunately, there have been many cyber assaults in the utility sector that were never made public. As indicated by the report, over 66% of all applications used by utility organizations had at least one usable flaw open throughout the year.
Setu Kulkarni, VP of Corporate Strategy and Business Development declared that more than 60% of apps in the manufacturing field also had a window of exposure of over 365 days.
At the same time, they have a very small number of applications that have a window of exposure that is less than 30 days — meaning applications where exploitable serious vulnerabilities get fixed under a month.
Finance has a much more balanced window of exposure outlook. About 40% of applications have a WoE of 365 days, but about 30% have a WoE of fewer than 30 days.
The top five vulnerability classes, allegedly easy to find and exploit, recently noticed by the researchers include:
- disclosure of confidential information
- inadequate session expiration
- cross-site scripting
- insufficient Transport Layer Security (TLS)
- content spoofing
Kulkarni declared the organization believes that it’s better to switch from releasing the report annually to publishing it monthly because the state of application security is rapidly evolving and there is a need for a more frequent analysis of the threat landscape.
He also mentioned that the circumstances had highlighted the need for cybersecurity flair and the general absence of means for multiple industries that have difficulties when it comes to managing updates and patches for hundreds of applications.
We look at the window of exposure by the industry as a bellwether metric for breach exposure. When you look at industries like utilities or manufacturing that have been laggards in digital transformation when compared to finance and healthcare, we find that they have a window of exposure data in a complete disbalance.
The key takeaway from this data is that organizations that are able to adapt their AppSec program to cater to the needs of legacy and new applications fare much better at balancing the window of exposure for their applications. That is what I am calling it two-speed AppSec: focusing on production testing and mitigation for legacy applications; focusing on production and pre-production testing and balancing mitigation as well as remediation for newer applications.
The VP of Corporate Strategy and Business Development concluded that cybersecurity is a team sport and that for way too long there has been an unequal share of responsibility placed on security and IT teams.
Development teams are pressed for time, and they are in no position to undergo multiple hours of point-in-time dedicated security training. A better approach is for the security teams to identify the top 1-3 vulnerabilities that are trending in the applications they are testing and provide development teams bite-size training focused on those vulnerabilities.