- The best unique products and gadgets we tested in 2024
- The best 15-inch laptops of 2024: Expert tested and reviewed
- How I optimized this 98-inch TV to feel like a movie theater (and it's on sale)
- Agents are the 'third wave' of the AI revolution
- US Organizations Still Using Kaspersky Products Despite Ban
Time to Fix High Severity Apps Increases by Ten Days
The average time taken to fix high severity application security flaws has increased by ten days in just a month, according to the latest data from NTT Application Security.
The security vendor’s AppSec Stats Flash report for August offers a broad view of the current state of application security across various verticals.
Most important is the data that details how quickly or otherwise organizations are at closing the window of exposure (WoE) between a patch becoming available and one being applied.
Although it found the “time to fix” had dropped overall by two days, from 202 days to 200 days, for high severity vulnerabilities, it increased from 246 days last month to 256 days in this month’s analysis.
The report found that utilities and retail firms, in particular, were performing poorly.
“Applications in the utility space continue to suffer from high window of exposure, with 67% of applications having at least one serious exploitable vulnerability throughout the year,” it noted.
“Retail Trade saw an increase of three base points in its WoE — from 58% last time to 61% this time. As we get closer to the final quarter of the year, there will be an expected increase in the transactions and activity on retail web and mobile applications. As such, applications in this sector are going to be rich targets for exploits.”
The most vulnerable sector was once again the “Management of Companies and Enterprises” vertical.
NTT Application Security warned that vulnerable applications are an increasingly dangerous vector for embedding ransomware and enabling supply chain attacks.
The top five vulnerability types by volume were HTTP response splitting, query language injection, cross-site scripting (XSS), cross-site request forgery and remote file inclusion.
These remain unchanged from previous months, indicating a “systemic failure” to address well-known security issues and making the task of threat actors even easier, the vendor claimed.