NTT Application Security has released Volume 9 of its monthly AppSec Stats Flash report.

Each month, the AppSec Stats Flash reflects on the evolving threat landscape, tracks key AppSec metrics on an ongoing basis and brings forward key actionable takeaways for security and development teams responsible for the applications that run their business.

This month, the NTT Application Security research team focused on cyberthreats targeting education applications as security concerns in that sector continue to grow. Accelerated online learning environments due to the pandemic and considerable rates of ransomware and phishing attacks against K-12 schools have increased focus on these organizations' unique cybersecurity challenges.

Key findings from AppSec Stats Flash Volume 9 include:

  • Although the education sector's breach exposure has remained relatively consistent this year, it's taking longer to fix high severity vulnerabilities compared to other industries (206 days vs. 201 days).
  • Applications within the education sector show an increased Window of Exposure (WoE) rate, rising to 57% in August from 53% last month.
  • 53% of applications in the education sector have at least one critical vulnerability exploitable throughout the year. However, 34% of these applications have a Window of Exposure of less than one month. This means that severe vulnerabilities in 34% of applications in the sector get addressed within one month.

"The application security statistics for the education sector indicate a hyper-focus among organizations in this sector on a handful of critical web applications and fixing a handful of critical vulnerabilities in those applications. The approach seems to be working given the otherwise stable WoE metrics that are now, in fact, improving," said Setu Kulkarni, Vice President, Strategy, at NTT Application Security. "To accelerate the improvement in the education sector's overall application security posture, organizations in the sector should expand their approach to identify their overall attack surface and put in place a systematic program that progressively covers all applications. In addition, educational institutes should provide best-practice training to students to remain safe on the internet regardless of the state of the application security of the apps they interact with daily. Finally, educational institutions should demand that software as a service (SaaS) and non-SaaS products they use in a commercial off-the-shelf manner have been through rigorous AppSec programs."