Industry Observations-Technical Insight-Vulnerabilities-Web Application Security

Making Web Application Security Statistics Meaningful

This year, WhiteHat Security celebrates its fifteenth anniversary in the application security space. Over the years, we’ve witnessed significant change in the web application landscape, including the way apps are connected, the number of applications organizations maintain, both internal and customer-facing, the devices used to access them, the type of data they transport, and the speed at which they are developed.

It’s safe to say that today’s applications hardly resemble those of 15 years ago – except when considering that application vulnerabilities were an issue when WhiteHat started in 2001, and we have not seen any monumental improvement.

To help communicate concerns around insecure web applications and mitigate risk from this ongoing problem, WhiteHat launched its annual Web Applications Security Statistics Report, which provides a unique perspective into the security challenges companies face when conducting business online. Now in its eleventh year, this report analyzes vulnerabilities, remediation rates and risk levels to enable companies to better understand how and where their business-critical information is exposed to attacks.

Report findings continue to illustrate reasons why web app attacks pose one of the greatest threats to today’s businesses:

  • Critical and high-risk vulnerabilities have an average age of 300 and 500 days, respectively.
  • For the 12 industries analyzed in this report, nine have vulnerability remediation rates below 50 percent.
  • Insufficient Transport Layer Protection, Information Leakage and Cross-Site Scripting are widely known application vulnerabilities, yet they are the three most common vulnerabilities found within web applications across all industries.

Organizations have hundreds, if not thousands, of web applications, and each of these web apps has anywhere from five to 32 vulnerabilities – meaning there are thousands of vulnerabilities across the average organization’s web applications. While this situation may feel overwhelming, risk ratings can really help security teams prioritize which vulnerabilities they work on fixing first. Unfortunately, this year’s report tells us once again that organizations are not relying on risk levels as a baseline to manage their application security strategies.

One specific statistic we find particularly interesting focuses on the amount of time it takes, on average, to fix vulnerabilities. Since 2013, the average time to fix vulnerabilities has trended upward; in 2013, the average time-to-fix was approximately 100 days. The average time-to-fix in 2015 jumped to approximately 150 days, and this longer shelf time of vulnerabilities directly correlates with increased risk to the business.

This metric indicates that traditional application security strategies of detecting and remediating are not working, and only escalate the challenge. Whether it’s an issue around feedback between developers and security teams, a lack of security resources, or too little involvement from the executive board, it’s clear application security is a problem that requires organization-wide collaboration from developers, security practitioners and business leaders.

So, we did something a little different this year. Instead of adding to the noise with another report highlighting how application security is in a bad spot, we’ve indicated what the report findings mean to these three unique audiences, all of whom play a vital role in improving an organization’s security posture. To help companies get started on the path toward safeguarding their data, we’ve outlined the main responsibilities of each group:

Developers: Approach security as a key part of the software development lifecycle. Integrate software assessment and developer analytics as part of your organization’s software development lifecycle.

Security Practitioners: Help your development teams understand the composition of their software applications and prioritize the vulnerable libraries for your development teams to fix.

Business Leaders: Support collaboration between the DevOps and security teams by ensuring that security leaders have the resources they need to identify and fix vulnerabilities in software faster, and developers receive security training.

Building security into the software, as opposed to bolting it on at the end ensures the security of business-critical applications for the long run. As new attack methods develop daily, it’s essential for companies to take preventative security measures and ensure they are not leaving their applications and information exposed to attacks. Developers and security practitioners together, with support from business leaders, can play an active role in improving application security posture so organizations can stay ahead of hackers.

Click here to view the full report.

Join us for the webinar 2016 Web Applications Security Stats Report Explained

Tags: application security, Cross Site Scripting, JavaScript, security, sql injection, Vulnerabilities, web application security, web application vulnerabilities, whitehat security, WhiteHat Security Statistics Report