Average time to fix critical cybersecurity vulnerabilities is 205 days: report

According to the report, more than 66% of all applications used by the utility sector had at least one exploitable vulnerability open throughout the year.
Written by Jonathan Greig, Contributor

A new report from WhiteHat Security has found that the average time taken to fix critical cybersecurity vulnerabilities has increased from 197 days in April 2021 to 205 days in May 2021.

In its AppSec Stats Flash report, WhiteHat Security researchers found that organizations in the utility sector had the highest exposure window with their application vulnerabilities, spotlighting a problem that made national news last week when it was revealed more than 50,000 water treatment plants across the US had lackluster cybersecurity. In addition to an attack on a water treatment plant in Florida earlier this year, it was revealed that there had been multiple attacks on utilities that were never reported. 

According to the report, more than 66% of all applications used by the utility sector had at least one exploitable vulnerability open throughout the year. Setu Kulkarni, a vice president at WhiteHat Security, said over 60% of applications in the manufacturing industry also had a window of exposure of over 365 days. 

"At the same time, they have a very small number of applications that have a window of exposure that is less than 30 days -- meaning applications where exploitable serious vulnerabilities get fixed under a month," Kulkarni explained, noting that the finance and insurance industries did a better job of addressing vulnerabilities. 

"Finance has a much more balanced window of exposure outlook. About 40% of applications have a WoE of 365 days, but about 30% have a WoE of fewer than 30 days."

WhiteHat Security researchers said the top five vulnerability classes seen over the last three months include information leakage, insufficient session expiration, cross-site scripting, insufficient transport layer protection and content spoofing. 

The report notes that many of these vulnerabilities are "pedestrian" and require little effort or skill to discover and exploit. 

Kulkarni said the company decided to switch from releasing the report annually to publishing it monthly due to the sheer number of new applications that are developed, changed and deployed, especially since the onset of the COVID-19 pandemic. The threat landscape has also evolved and expanded alongside the explosion in application development. 

Kulkarni noted that the situation had spotlighted the lack of cybersecurity talent available to most organizations and the general lack of resources for many industries struggling to manage updates and patches for hundreds of applications. 

"We look at the window of exposure by the industry as a bellwether metric for breach exposure. When you look at industries like utilities or manufacturing that have been laggards in digital transformation when compared to finance and healthcare, we find that they have a window of exposure data in a complete disbalance," Kulkarni told ZDNet.

"The key takeaway from this data is that organizations that are able to adapt their AppSec program to cater to the needs of legacy and new applications fare much better at balancing the window of exposure for their applications. That is what I am calling it two-speed AppSec: focusing on production testing and mitigation for legacy applications; focusing on production and pre-production testing and balancing mitigation as well as remediation for newer applications."

Every application today is internet-connected either directly or indirectly, Kulkarni added, explaining that this means the impact of vulnerabilities can potentially affect hundreds of thousands of end-users, if not millions. 

Kulkarni suggested organizations distribute the responsibility of security more broadly to all the stakeholders beyond just security and IT teams that often lack the budget or the resources to handle security meticulously.

"Security is a team sport, and for the longest time, there has been a disproportionate share of responsibility placed on security and IT teams.

"Development teams are pressed for time, and they are in no position to undergo multiple hours of point-in-time dedicated security training. A better approach is for the security teams to identify the top 1-3 vulnerabilities that are trending in the applications they are testing and provide development teams bite-size training focused on those vulnerabilities."

Editorial standards