WhiteHat Security published their latest installment of the AppSec Stats Flash report and podcast, surveying the current state of the application security and wider threat landscape. Key findings from the report include the average time (rolling 12 months) to fix critical vulnerabilities has increased from 197 days in April 2021 to 205 days in May 2021, and in the case of the recent security events, undetected and unresolved cyberattacks can lead to devastating ransomware threats, supply chain risks, and application vulnerabilities.

Key takeaways from the report include:

  • Utilities sector applications continue to have highest Window of Exposure (WoE).
  • Time to Fix has also seen a significant up-tick pointing to a growing need to implement targeted campaigns to address the most commonly found vulnerabilities. The most commonly found vulnerabilities list remains constant.
  • OWASP Top 10's A1 - Injection are Implementation Vulnerabilities, often requiring software engineering effort to fix. Within A1, SQL Injection is the pre-dominant vulnerability that plagues applications.

Additional details on this month’s statistical data and findings include:

  • Window of Exposure – Key metric that allows organizations to benchmark against their respective industry peers and is an indicative sign of breach exposure.
    • WoE for Utilities Sector remained constant from last month with 67% of all applications in the Utility sector having at least one exploitable vulnerability open throughout the year.
    • WoE for the Finance and Insurance industries exhibit a starkly opposite trend - for almost 30% of the applications in these industries, all serious exploitable vulnerabilities fixed under 30 days of being detected.


  • Vulnerability Likelihood By Class
    • The top-5 vulnerability classes identified in the last 3-mo rolling window remain constant: Information Leakage, Insufficient Session Expiration, Cross Site Scripting, Insufficient Transport Layer Protection & Content Spoofing.


  • Examining WhiteHat reported vulnerability likelihood vis-a-vis OWASP Top 10 ­­The OWASP Top Ten represents a broad consensus about the most critical security risks to web applications
    • Approximately 2% of all vulnerabilities are Injection (A-1) related vulnerabilities. Injection vulnerabilities arise because of implementation errors and require an implementation change to fix these issues except when the Injection vulnerability is inherited from a third party component (COTS or OSS).
    • SQL Injection is the pre-dominant Injection vulnerability accounting for more than 50% of all Injection vulnerabilities.


  • Time to Fix - Focus on reducing average time to fix critical and high severity vulnerabilities is critical to improving the window of exposure and consequently the overall security posture of applications
    • Average time to fix critical vulnerabilities is 205 days, a new high for the year.
    • The average time (rolling 12 months) to fix critical vulnerabilities has increased from 197 days in April 2021 to 205 days in May 2021. 

For the full report, please visit https://www.whitehatsec.com/appsec-stats-flash/