The fast pace of innovation by the information technology industry has seemingly left businesses in that industry behind in the race to secure their Web applications, according to the annual WhiteHat Security Web Applications Security Statistics Report released on June 7.
As an industry, IT firms came in dead last in measures of security—and first in measures of vulnerability—based on scans of their Web applications by WhiteHat. The average IT Web application, for example, had 32 vulnerabilities, compared with 28 vulnerabilities in Web apps produced by educational organizations or 23 vulnerabilities in retail Web applications. In addition, the average age of a Web application vulnerability topped 875 days for the IT industry, nearly twice the age of the second worst performer, the education sector, according to the report.
The IT industry's rate of production of Web apps is much higher compared with other industries, and that could significantly contribute to the greater security weaknesses of the industry, Setu Kulkarni, vice president of product management for WhiteHat Security, told eWEEK.
"In IT, we see rapid change," he said. "They are the folks who are knowledgeable about producing a lot of these applications. As you are on the leading edge of technology, you are adopting the latest and greatest framework and open-source software, for example."
Even though the report serves notice to startups and businesses hawking the latest online service or product, other industries are not off the hook.
While 60 percent of IT industry Web applications are vulnerable 365 days a year, more than half of applications produced by the retail, manufacturing, and food-and-beverage industries are always vulnerable as well, according to the report.
All four of those industries also take more than 200 days to fix a Web application vulnerability on average, the report stated.
Part of the problem is that companies are producing far more applications now, and more quickly. WhiteHat clients have submitted more than 30 percent more applications to be tested this year than in previous years, the company said.
"Software that used to take years to develop now, with technology trends [such as] cloud, Agile and DevOps, people are releasing code to production … in weeks," Kulkarni said. "The sheer number of applications has, I think, gone out of control."
Yet, developers and operations personnel knowledgeable about application security need to work more closely with developers. Vulnerability checks should be integrated into the development cycle and priorities should be based on risk, not which vulnerabilities are easiest to fix, Kulkarni said.
"The day that developers themselves have access to the vulnerability data, that the list is put in front of them, then remediation rate may go up," he said.
Working security into development is also important because the earlier that vulnerabilities are fixed, the less costly they are, he said.