With the Colonial Pipeline ransomware attacks that caused widespread East Coast fuel shortages still fresh in our minds, new WhiteHat Security research has found that application specific attacks are equally, if not more, likely than ransomware attacks.

WhiteHat Security published their latest installment of the AppSec Stats Flash report and podcast, surveying the current state of the application security and wider threat landscape. This month the company found the Window of Exposure, a key metric indicative of breach exposure, for applications in the Utilities Sector increased from 55% to 67% since the start of the year, making applications in the sector the second most vulnerable behind Public Administration applications. This means that, much like we have already witnessed with Colonial Pipeline Company, at least 67% of Utility Sector applications have at least 1 serious exploitable vulnerability open throughout the year.

More details on this month’s statistical data and findings include:

  • Window of Exposure – Key metric that allows organizations to benchmark against their respective industry peers. Window of Exposure for organizations continues to be a worrying sign of breach exposure.
    • WoE for Manufacturing decreased from 70% to 63% from over the past 12 months after being the most vulnerable at the start of the year
    • WoE for Healthcare improved from 59% at the beginning of the year to 52% last month
    • Despite these decreases, the WoE remains high – 63% of all manufacturing apps and 52% of all healthcare apps have at least 1 serious exploitable vulnerability open throughout the year, a worrying sign of breach exposure
    • WoE for Utilities Sector increased from 65% last month to 67% this month and from 55% at the beginning of the year, making applications in the sector the second most vulnerable behind Public Administration
  • Vulnerability Likelihood By Class - Pedestrian vulnerabilities continue to plague applications. The effort and skill required to discover and exploit these vulnerabilities is fairly low, thus making it easier for the adversary.
  • The top-5 vulnerability classes identified in the last 3-mo rolling window remain constant: Information Leakage, Insufficient Session Expiration, Cross Site Scripting, Insufficient Transport Layer Protection & Content Spoofing.
  • Over the last 3 moths, there is a spike in the number of HTTP Response Splitting vulnerabilities in applications from an average of 1.5 vulnerabilities up to 4.4 vulnerabilities.
  • Examining WhiteHat reported vulnerability likelihood vis-a-vis OWASP Top 10
    • The OWASP A6-Security Misconfiguration (67%), A3-Sensitive Data Exposure (41%), A5-Broken Access Control (17%) and A2- Broken Authentication (10%) account for 4 of the 5 most likely vulnerability classifications among the OWASP Top 10.
    • WhiteHat classifies "Insufficient Session Expiration" as a major cause of A2 - Broken Authentication issues and Insufficient Process Validation issues.
  • Time to Fix - Focus on reducing average time to fix critical and high severity vulnerabilities is critical to improving the window of exposure and consequently the overall security posture of applications
    • Average time to fix critical vulnerability is 197 days which is the highest it has been this year, contributing to the large window of exposures.


Key Takeaways:

  • High Windows of Exposure is a major concern. Utilities sector applications have seen an up-tick in Window of Exposure. This is likely attributable to increased focus on Security in Utilities which has resulted in more applications being tested. Healthcare and Finance sector applications are steadily improving on or maintaining lower Windows of Exposure.
  • Time to Fix has also seen a significant up-tick pointing to a growing need to implement targeted campaigns to address the most commonly found vulnerabilities. The most commonly found vulnerabilities list remains constant.
  • OWASP Top 10's A2 - Broken Authentication are a dangerous set of vulnerabilities that can result in undesirable data & functionality exposure. Insufficient Session Expiration is a major vulnerability class within A2 that is also second most likely vulnerability class to occur in applications across the board.