Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Half of Corporate Web Apps Contain Flaws That Are at Least a Year Old

    By
    Robert Lemos
    -
    July 13, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Software Flaw Research 2

      Companies focused on securing their web applications have slightly reduced the number of flaws in their software, but about half of all applications continue to remain vulnerable for 365 days a year, according to web security firm WhiteHat Security’s latest annual report.

      The report, based on data from both dynamic and static analyses conducted by the firm, found that the average Web application has fewer flaws, an average of three, down from four in last year’s report.

      Yet, half of all apps always had at least one vulnerability over all of 2016, the company found. Utilities had the worst track record for mitigating vulnerabilities, with 64 percent of utilities’ Web applications containing at least one unpatched vulnerability throughout the entire year. Retail, accommodation and food services sites tied for second place, each seeing 59 percent of applications vulnerable to attack for 365 days.

      “We are releasing software faster, faster and faster, so that means that we are releasing vulnerabilities faster as well,” Ryan O’Leary, vice president of WhiteHat’s Threat Research Center, told eWEEK.

      “We need to get the time-to-fix down and the window of exposure down, because the more time that we give the bad guys to find a vulnerability and develop and exploit, the more vulnerable we are.”

      The previous year saw different industries perform worst, when 60 percent of information-technology companies tested by WhiteHat were always vulnerable, while the food and beverage and manufacturing industries tied for second place with 57 percent of applications always vulnerable.

      The report brings together data from 15,000 assessments of web applications and more than 65,000 assessments of mobile applications. The data combines both static application security testing (SAST), which focuses on analyzing source code, and dynamic application security testing (DAST), which focused on scanning for vulnerabilities on running applications.

      The data analysis found that companies do fix the most critical vulnerabilities first, but then focus on the easiest-to-fix issues, leaving high-severity vulnerabilities unfixed the longest. The behavior is a natural result of the incentives imposed on most developers, O’Leary said.

      “The really, really bad vulnerabilities and the really, really easy vulnerabilities are the first to get fixed,” he said. “And it makes sense: You want to fix the vulnerabilities that will blow your site up first. And with new agile development, you have time slices of work for additional things, and you want to show wins, so the low-hanging fruit gets hit next.”

      The analysis also found that detecting vulnerabilities early pays off. SAST technologies, typically run during development, found on average 11 vulnerabilities per application, with the average flaw fixed in 113 days. DAST scans, typically run later—during quality-assurance testing—found 3 vulnerabilities per application, and they took longer to fix—174 days.

      “This is the first year that we have done a comparison to static analysis,” O’Leary said. “Our data shows that it seems to be faster to fix a vulnerability in development, rather than in production.”

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×