A computer screen is filled with code during a hackathon event on Feb. 1, 2014, in Miami. (Photo by Joe Raedle/Getty Images)

Researchers found that 50% of all sites tested were vulnerable to at least one serious exploitable vulnerability throughout all of 2021, while just 27% of sites tested were vulnerable less than 30 days.

In releasing its "AppSec Stats Flash: 2021 Year in Review," NTT Application Security focused on changes within Window-of-Exposure and Time-to-Fix data across industry verticals, including healthcare, manufacturing, utilities and retail.

The following are some highlights by vertical market:

  • Utilities: Some 63% of utilities websites were vulnerable to at least one exploitable vulnerability throughout 2021, up 8% from the year before.
  • Education: The sector had the longest Time-to-Fix a critical vulnerability across all industries — 523.5 days — nearly 335 days more than public administration (188.6 days), which maintained the shortest timeframe throughout 2021.
  • Finance and Insurance: At 43% these business sectors had the lowest percentage of sites perpetually exposed.

Some of these stats are so high because organizations are struggling with the increased number of web assets, reduced security headcount/expertise, and rapid deployments of applications through CI/CD to bring new features and functionalities to market as fast as possible, said Ray Kelly, a fellow at NTT Application Security.

“It’s a constant game of catch-up,” Kelly said. “If organizations don’t focus on remediating critical vulnerabilities, sooner or later malicious actors will take advantage. The most significant finding within the report is around Window-of-Exposure, the fact that 50% of web applications were vulnerable to attack throughout 2021 is quite alarming.”

Mark Lambert, vice president of products at ArmorCode, said these vulnerabilities are usually known to the teams — but security pros are challenged by lots of automation, generating lots of data, but no actionable information. 

“AppSec teams are outnumbered 100:1," Lambert said. “Development and security teams are siloed and disconnected, resulting in frustration and finger-pointing. So releases go out the door fast and furious with known vulnerabilities — and when new vulnerabilities are identified, teams have to scramble to respond.”

Michael Isbitski, technical evangelist at Salt Security, explained while the stat that says half of organizations are vulnerable throughout the year may at first sound alarming, the number reflects the realities of continuous security testing and needing to release applications to production. Isbitski said when organizations run application security testing (AST) tools, they often discover similar sets of issues that they may not consider risky.

“It’s not uncommon for organizations to ignore these security issues or suppress them wholesale, particularly information disclosure problems,” Isbitski said. “Scanning tools frequently report the mere presence of certain HTTP headers or server banners as information disclosure. These metadata offer details to an attacker on back-end systems and versions useful in finding other vulnerabilities. Information disclosure problems don’t always arise from application code, and more often they originate from infrastructure configuration. Other issues, like injection flaws and abusable business logic, often get more attention.”

David Stewart, CEO of Approov, said security vulnerabilities will always exist in software and although it’s right to assign time and resources to fixing them, we’ll never reach a point in which the industry releases vulnerability-free software.

“What organizations should do, in parallel with their vulnerability-fixing efforts, is shield their apps and the APIs that service them from scripts belonging to bad actors looking to exploit vulnerabilities,” Stewart said. “Effective shielding ensures that the malicious scripts can’t reach the intended backend services. Remember that the existence of vulnerabilities isn't the primary problem: it’s the ability to exploit them. So, block the exploitation route first and then address the vulnerabilities at your (relative) leisure.”