Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

70% of apps for the manufacturing sector spent all of 2020 with at least one security flaw


According to WhiteHat Security, 70 percent of individual web, mobile and API-based apps that support the manufacturing sector spent all of 2020 with at least one critical or high-risk security flaw.

With public administration apps, the number that went a year with a security flaw dropped to 67 percent, and nine other sectors ranged between 50 and 60 percent.

The results come from aggregated data from the firm's monthly AppSec Stats Flash scans of tens of thousands of apps, compiled in a just-released annual report.

"Time-to-fix is seeing a dangerous upwardly trend," said Setu Kulkarni, vice president of strategy for WhiteHat, via email.

Indeed, the average time to fix bugs of any severity lasted a year or more in the public administration, educational services, and utilities industries.

Besides manufacturing and public administration, more than half the individual apps from a wide range of sectors had at least one critical or high severity vulnerability from Jan. 1, 2020, to Jan. 1, 2021: healthcare and social assistance; real estate and rental; information; retail; education; utilities; enterprise management; and professional, scientific and technical services.

Several industries fared better. Less than a third of the apps in agriculture, forestry and hunting; construction; and arts, entertainment and recreation had critical or high severity flaws all year.

Kulkarni said that the reason so many applications had perennial bugs was a mixture of trouble prioritizing, lack of trained staffing, and a boom in online applications that's left little time to remediate problems.

Kulkarni noted that many of the bugs left unaddressed came from "pedestrian" classes of vulnerabilities or were otherwise relatively easy to address.

"The most commonly occurring vulnerability class, information leakage, can be addressed largely via configuration changes throughout the software lifecycle," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.