Average time to fix high severity vulnerabilities grows from 197 days to 246 days in 6 months: report

A new report from NTT Application Security found that the window of exposure for many companies' vulnerabilities is growing.
Written by Jonathan Greig, Contributor

The latest AppSec Stats Flash report from NTT Application Security has found that the remediation rate for severe vulnerabilities is on the decline, while the average time to fix is on the rise.

The report, which is compiled monthly, covers window of exposure, vulnerability by class and time to fix.

The latest report found that the window of exposure for applications has increased over the last six months while the top-5 vulnerability classes by prevalence remain constant, which the researchers behind the report said was a "systematic failure to address these well-known vulnerabilities."

According to NTT Application Security researchers, the time to fix vulnerabilities has dropped 3 days, from 205 days to 202 days. The average time to fix is 202 days, the report found, representing an increase from 197 days at the beginning of the year. The average time to fix for high vulnerabilities grew from 194 days at the beginning of the year to 246 days at the end of June.

Remediation rates have also decreased across all vulnerability severities, with rates for critical vulnerabilities falling from 54% at the beginning of the year to 48% at the end of June. Rates for high vulnerabilities decreased from 50% at the beginning of the year to 38% at the end of June.

The report notes that many of these vulnerabilities are "pedestrian" and require a low level of effort and skill to exploit. 

HTTP Response Splitting is one issue that is on the rise, according to the report, and the authors suggest organizations pay closer attention to upgrading underlying open-source components. The vulnerability allows attackers "to modify the user-facing content of a website by tricking the target user into clicking a malicious link or visiting a malicious website."

More than 65% of applications in the utilities sector have at least one serious exploitable vulnerability throughout the year, leading all other industries. 

Education, manufacturing, and retail and wholesale trade applications each saw an increase in their windows of exposure this month. The window of exposure for the education, retail trade and manufacturing industries saw increases of 4% and healthcare rose by 2%.

"The Wholesale Trade sector has seen a 15% increase in Window of Exposure, while Utilities has experienced an 11% increase since the beginning of the year," the researchers wrote. 

"Manufacturing, Public Administration and Healthcare are large sectors that have each seen a decline in their respective window of exposures, likely due to an increased focus on security following targeted breach activity and/or new regulations."

Two other sectors saw improvements in their window of exposure. The finance and insurance sectors reported a 2% drop in their window of exposure. 

"This data indicates that industries like Education, Retail, Manufacturing, Healthcare, Utilities and Public Administration continue to suffer more than other industries, including Finance and Insurance," the report said. 

"The top-5 vulnerability classes identified in the last three month rolling window remain constant: Information Leakage, Insufficient Session Expiration, Cross Site Scripting, Insufficient Transport Layer Protection & Content Spoofing." 

Editorial standards