New Report says Average Time to Fix Cybersecurity Vulnerabilities is 205 Days


New reports emerging from WhiteHat Security suggests that the average time it takes to fix critical cybersecurity problems has increased from 197 days in April 2021 to 205 days in May 2021.

Whitehat researchers found that organizations in the utility sector had the highest exposure window with their application susceptibilities, identifying a problem which made national news when it was revealed that over 50,000 water treatment plants across the U.S. had vulnerable cybersecurity. Additionally, it was revealed that there have been multiple unreported attacks on utilities.

According to the report, over 66% of all applications used in the utility sector has at least one vulnerability open throughout the year. Setu Kulkarni, Vice President at Whitehat Security said over 60% of applications in the manufacturing industry also had a window of exposure of over a year.

‘At the same time, they have a very small number of applications that have a window of exposure that is less than 30 days— meaning applications where exploitable serious vulnerabilities get fixed under a month,’ Kulkarni explained. He noted that the insurance and finance industries performed better at addressing vulnerabilities.

‘Finance has a much more balanced window of exposure outlook. About 40% of applications have a WoE of 365 days, but about 30% have a WoE of fewer than 30 days.’

The researchers at Whitehat Security said the top five vulnerability classes visible over the past here months include cross-site scripting, information leakage, content spoofing, insufficient session expiration and insufficient transport layer protection.

The report observes that many of these vulnerabilities are ‘pedestrian’ and don’t require much effort or skill to discover and exploit.

Kulkarni said the company decided to switch from releasing the report annually to releasing it monthly as a result of the large amount of new applications being developed, changed and deployed, particularly since the onset of the pandemic. The landscape of threats has also evolved.

Kulkarni also noted that the situation had highlighted the lack of cybersecurity talent available to most organizations, and the insufficient resources for many industries hustling to manage updates for hundreds of applications.

‘We look at the window of exposure by the industry as a bellwether metric for breach exposure. When you look at industries like utilities or manufacturing that have been laggards in digital transformation when compared to finance and healthcare we find that they have a window of exposure data in a complete disbalance,’ Kulkarni said.

‘The key takeaway from this data is that organizations that are able to adapt their AppSec program to cater to the needs of legacy and new applications fare much better at balancing the window of exposure for their applications. That is what I am calling it two-speed AppSec: focusing on production testing and mitigation for legacy applications; focusing on production and pre-production testing and balancing mitigation as well as remediation for newer applications.’

All applications today are connected to the Internet directly or indirectly. Kulkarni explained that this means the impact of vulnerabilities could potentially affect thousands of end-users. He suggested organizations share the responsibility of security more broadly to all the stakeholders beyond just security and IT teams which cannot afford the resources to handle security carefully.

‘Security is a team sport, and for the longest time, there has been a disproportionate share of responsibility placed on security and IT teams.’

‘Development teams are pressed for time, and they are in no position to undergo multiple hours of point-in-time dedicated security training. A better approach is for the security teams to identify the top 1-3 vulnerabilities that are trending in the applications they are testing and provide development teams bite0sized training focused on those vulnerabilities.’

By Marvellous Iwendi.

Source: ZDNet