Fifty percent of websites were vulnerable throughout the year in 2021 to at least one serious exploit by hackers, according to data gleaned from some 15 million application security scans by organizations, a recent NTT report said.
The report, entitled AppSec Stats Flash: 2021 Year in Review and produced by NTT’s application security wing, focuses on changes within window-of-exposure (WoE) and time-to-fix data across industry verticals, such as healthcare, manufacturing, utilities and retail. WoE, or the amount of time an organization has at least one serious exploitable vulnerability throughout the year, remains a nagging concern as applications remain increasingly vulnerable across all industries.
The report’s analysis of the data also found a downward trend in organizations’ remediation rates of critical vulnerabilities, which fell from 54 percent to 47 percent throughout the course of the year.
Additional key findings from the report include:
- While 50 percent of all sites tested were vulnerable to at least one serious exploitable vulnerability throughout the entire year, 27 percent of sites tested were vulnerable for less than 30 days throughout the year.
- The education industry had the longest time-to-fix a critical vulnerability across all industries (523.5 days). By comparison, public administration clocked in at 188.6 days, which was the shortest time frame throughout 2021.
- The finance and insurance industry had the lowest percentage of sites perpetually exposed (43 percent), while professional, scientific and technical services had the highest percentage (65 percent).
“Despite the elevated push to remediate critical vulnerabilities in both public and private sector applications, there’s evidence that suggests this inadvertently led to an overall negative result, as these initiatives seem to have occurred as a trade off with rather than an addition to existing remediation efforts,” said Craig Hinkley, NTT Application Security chief executive. “Moving forward, it is critical for application security programs to evolve toward a more comprehensive approach that brings together robust security testing, strategic remediation efforts and contextual education of developers, development operations and security operations personnel,” he said.