NTT Application Security released its six-month trend findings in its AppSec Stats Flash Vol. 7, reporting on the current state of application security and the wider threat landscape, including Window of Exposure (WoE), Vulnerability by Class, and Time to Fix. Each month, the AppSec Stats Flash reflects on the evolving threat landscape, tracks key AppSec metrics on an ongoing basis and brings forward key actionable takeaways for security and development teams who are responsible for the applications that run their business.

Trends from the past 6 months include:

• Applications in the Utilities sector continues to top the chart, with 66% of applications in the industry having at least one serious exploitable vulnerability throughout the year.
• Education, Manufacturing, and Retail and Wholesale Trade applications each saw an increase in WoE this month. The Wholesale Trade sector experienced a 7% increase in the WoE, while Education, Retail Trade and Manufacturing rose by 4% and healthcare rose by 2%.
• The Finance and Insurance sectors improved over last month, reporting a 2% drop in their WoE. Conversely, the Healthcare sector’s WoE increased by 2%.
• The Wholesale Trade sector has seen a 15% increase in WoE, while Utilities has experienced an 11% increase since the beginning of the year.
• Manufacturing, Public Administration and Healthcare are large sectors that have each seen a decline in their respective Window of Exposures, likely due to an increased focus on security following targeted breach activity and/or new regulation(s).

Additional findings include:

• Window of Exposure
  • Wholesale trade as a sector has seen a 15% increase in Window of Exposure, while Utilities as a sector has seen a 11% increase in Window of exposure since the beginning of the year. 
  • Manufacturing, Public Administration and Healthcare are large sectors that have seen a decline in their respective Window of Exposures, likely due to increased focus as a result of either targeted breach activity and/or new regulation.
• Remediation Rates
  • Remediation rates across all vulnerability severities is decreasing.
  • Remediation rates for critical vulnerabilities decreased from 54% at the beginning of the year to 48% at the end of June.
  • Remediation rates for high vulnerabilities decreased from 50% at the beginning of the year to 38% at the end of June.
• Time to Fix
  • Time to Fix (TTF) for all vulnerability severities is increasing.
  • Average TTF for critical vulnerabilities increased from 197 days at the beginning of the year to 202 days at the end of June.
  • Average TTF for high vulnerabilities increased from 194 days at the beginning of the year to 246 days at the end of June.

Key-Takeaways:

• Overall, the remediation rate for severe vulnerabilities is on the decline while the average time to fix is on the increase. These two trends contribute to an overall increase in the window of exposure for applications in general. 
• The top 5 vulnerability classes by prevalence remain constant - pointing to a systematic failure to address these well-known vulnerabilities.
• The prevalence of HTTP Response Splitting is on the rise. Organizations should pay special attention to upgrading underlying open-source components that contribute to this application vulnerability.