Global organizations continue to struggle against the rising tide of application-specific and web-application attacks. In fact, 50% of all sites tested by NTT Application Security were vulnerable to at least one serious exploitable vulnerability throughout 2021, according to the AppSec Stats Flash: 2021 Year in Review.

Highlighted by the Colonial Pipeline attack, President Biden’s Executive Order for “improving the nation’s cybersecurity,” and the ongoing Log4j fallout, the events of the past year brought application security to the forefront of all conversations. Despite the elevated push to remediate critical vulnerabilities in both public and private sector applications, there’s evidence that suggests this unintentionally led to an overall negative result, as ‘fire-drill’ remediation initiatives seem to occur as a tradeoff with — rather than an addition to — existing remediation efforts.

These events, combined with the explosive growth in web applications accelerated by the COVID-19 pandemic, as well as the rapid adoption of modern practices that enable developers to quickly build and deliver valuable functionality, have led the market to an inflection point in how we approach application security testing.

Key findings from the NTT Application Security report include:

  • Half (50%) of all sites tested were vulnerable to at least one serious exploitable vulnerability throughout the entire year while 27% of sites tested were vulnerable less than thirty days throughout the year.
  • The Education industry had the longest Time-To-Fix a critical vulnerability across all industries (523.5 days) —nearly 335 days more than Public Administration (188.6 days), which maintained the shortest timeframe throughout the year.
  • The Finance and Insurance industry had the lowest percentage of sites perpetually exposed (43%), while Professional, Scientific and Technical Services had the highest percentage (65%).

Kevin Dunne, President at Pathlock, says, "This explosion in vulnerabilities, paired with a great resignation of cyber professionals, have left many companies struggling to keep up with the backlog of vulnerabilities that need to be resolved in a timely fashion."

NTT Application Security found that the vulnerability classes most likely to be detected remained relatively static throughout the year, while also indicating that well known vulnerability classes plagued applications. Considering that the effort and skill required to discover and exploit these vulnerabilities is fairly low, it’s clear that attackers benefited from a target-rich environment in 2021.

To stay ahead of attackers, companies need to rely on intelligence and automation, to detect and remediate as many vulnerabilities without human intervention, Dunne says. "In the meantime, as companies work to get their vulnerabilities sorted out, they need to put in place reliable monitoring of their core infrastructure to ensure that any vulnerabilities that are exploited can be managed in a timely fashion."