Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Half of Corporate Web Apps Contain Flaws That Are at Least a Year Old

    By
    ROBERT LEMOS
    -
    July 13, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Software Flaw Research 2

      Companies focused on securing their web applications have slightly reduced the number of flaws in their software, but about half of all applications continue to remain vulnerable for 365 days a year, according to web security firm WhiteHat Security’s latest annual report.

      The report, based on data from both dynamic and static analyses conducted by the firm, found that the average Web application has fewer flaws, an average of three, down from four in last year’s report.

      Yet, half of all apps always had at least one vulnerability over all of 2016, the company found. Utilities had the worst track record for mitigating vulnerabilities, with 64 percent of utilities’ Web applications containing at least one unpatched vulnerability throughout the entire year. Retail, accommodation and food services sites tied for second place, each seeing 59 percent of applications vulnerable to attack for 365 days.

      “We are releasing software faster, faster and faster, so that means that we are releasing vulnerabilities faster as well,” Ryan O’Leary, vice president of WhiteHat’s Threat Research Center, told eWEEK.

      “We need to get the time-to-fix down and the window of exposure down, because the more time that we give the bad guys to find a vulnerability and develop and exploit, the more vulnerable we are.”

      The previous year saw different industries perform worst, when 60 percent of information-technology companies tested by WhiteHat were always vulnerable, while the food and beverage and manufacturing industries tied for second place with 57 percent of applications always vulnerable.

      The report brings together data from 15,000 assessments of web applications and more than 65,000 assessments of mobile applications. The data combines both static application security testing (SAST), which focuses on analyzing source code, and dynamic application security testing (DAST), which focused on scanning for vulnerabilities on running applications.

      The data analysis found that companies do fix the most critical vulnerabilities first, but then focus on the easiest-to-fix issues, leaving high-severity vulnerabilities unfixed the longest. The behavior is a natural result of the incentives imposed on most developers, O’Leary said.

      “The really, really bad vulnerabilities and the really, really easy vulnerabilities are the first to get fixed,” he said. “And it makes sense: You want to fix the vulnerabilities that will blow your site up first. And with new agile development, you have time slices of work for additional things, and you want to show wins, so the low-hanging fruit gets hit next.”

      The analysis also found that detecting vulnerabilities early pays off. SAST technologies, typically run during development, found on average 11 vulnerabilities per application, with the average flaw fixed in 113 days. DAST scans, typically run later—during quality-assurance testing—found 3 vulnerabilities per application, and they took longer to fix—174 days.

      “This is the first year that we have done a comparison to static analysis,” O’Leary said. “Our data shows that it seems to be faster to fix a vulnerability in development, rather than in production.”

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×