The threat landscape surrounding web, mobile and API-based applications is evolving rapidly. Consequently, there is a critical need for a frequent and periodic analysis of the overall state of application security. Each month, NTT Application Security’s AppSec Stats Flash reflects on the evolving threat landscape, tracks key AppSec metrics on an ongoing basis and brings forward key actionable takeaways for security and development teams responsible for the applications that run their business.
In this month's AppSec Stats Flash, the “Management of Companies and Enterprises” sector continued its run to become the most vulnerable sector. Among other risks, vulnerable applications create another attack vector to embed ransomware, especially for such a critical set of applications like holding companies of multi-billion-dollar assets.
Applications in the utility space continue to suffer from a high window of exposure, with 67% of applications having at least one exploitable severe vulnerability throughout the year. Retail Trade saw an increase of 3 basis points in its WoE - from 58% last time to 61% this time. As we get closer to the year’s final quarter, there will be an expected increase in the transactions and activity on the retail web and mobile applications. As such, applications in this sector are going to be rich targets for exploits.
The top 5 vulnerability classes identified in the last 3-month rolling window remain constant: Information Leakage, Insufficient Session Expiration, Cross-Site Scripting, Insufficient Transport Layer Protection and Content Spoofing. Pedestrian vulnerabilities continue to plague applications. The effort and skill required to discover and exploit these vulnerabilities are relatively low, thus making it easier for the adversary. NTT researchers recommend that organizations track their top 5 vulnerabilities and implement a campaign to educate their software teams about the top 5 vulnerabilities to eradicate these vulnerabilities from their applications systematically.
Time to Fix - metric provides an industry baseline for how long it takes to fix a vulnerability and associates that with risk (to the organization) - has dropped by two days from 202 days to 200 days. However, Time to Fix for high severity vulnerabilities increased by 10 days - 246 days last month to 256 days in this month’s analysis. Focus on reducing the average time to fix critical and high severity vulnerabilities to improve the window of exposure and consequently the overall security posture of applications, NTT researchers say.
In addition, A7 - XSS was number 4 on NTT’s list of most prevalent vulnerability types. Overall, XSS has an almost 12% likelihood across all the applications analyzed. Of all XSS vulnerabilities, 62% are Reflected, or DOM-based XSS vulnerabilities (discovered via automated scanning), and 38% are Stored XSS vulnerabilities (discovered exclusively through manual assessments of in-production applications to ensure production safety). Of all the Reflected or DOM-based XSS vulnerabilities, 60% do not use any evasion techniques. They are textbook vulnerabilities that can be tested using techniques from the OWASP cheat sheet.