Companies focused on securing their web applications have slightly reduced the number of flaws in their software, but about half of all applications continue to remain vulnerable for 365 days a year, according to web security firm WhiteHat Security’s latest annual report.
The report, based on data from both dynamic and static analyses conducted by the firm, found that the average Web application has fewer flaws, an average of three, down from four in last year’s report.
Yet, half of all apps always had at least one vulnerability over all of 2016, the company found. Utilities had the worst track record for mitigating vulnerabilities, with 64 percent of utilities’ Web applications containing at least one unpatched vulnerability throughout the entire year. Retail, accommodation and food services sites tied for second place, each seeing 59 percent of applications vulnerable to attack for 365 days.
“We are releasing software faster, faster and faster, so that means that we are releasing vulnerabilities faster as well,” Ryan O’Leary, vice president of WhiteHat’s Threat Research Center, told eWEEK.
“We need to get the time-to-fix down and the window of exposure down, because the more time that we give the bad guys to find a vulnerability and develop and exploit, the more vulnerable we are.”
The previous year saw different industries perform worst, when 60 percent of information-technology companies tested by WhiteHat were always vulnerable, while the food and beverage and manufacturing industries tied for second place with 57 percent of applications always vulnerable.
The report brings together data from 15,000 assessments of web applications and more than 65,000 assessments of mobile applications. The data combines both static application security testing (SAST), which focuses on analyzing source code, and dynamic application security testing (DAST), which focused on scanning for vulnerabilities on running applications.
The data analysis found that companies do fix the most critical vulnerabilities first, but then focus on the easiest-to-fix issues, leaving high-severity vulnerabilities unfixed the longest. The behavior is a natural result of the incentives imposed on most developers, O’Leary said.
“The really, really bad vulnerabilities and the really, really easy vulnerabilities are the first to get fixed,” he said. “And it makes sense: You want to fix the vulnerabilities that will blow your site up first. And with new agile development, you have time slices of work for additional things, and you want to show wins, so the low-hanging fruit gets hit next.”
The analysis also found that detecting vulnerabilities early pays off. SAST technologies, typically run during development, found on average 11 vulnerabilities per application, with the average flaw fixed in 113 days. DAST scans, typically run later—during quality-assurance testing—found 3 vulnerabilities per application, and they took longer to fix—174 days.
“This is the first year that we have done a comparison to static analysis,” O’Leary said. “Our data shows that it seems to be faster to fix a vulnerability in development, rather than in production.”