Half of Apps Contain at Least One Serious Exploitable Vulnerability

At least 50% of apps used in sectors such as manufacturing, public services, healthcare, retail, education and utilities contain one or more serious exploitable vulnerabilities, according to a new study by WhiteHat Security.

This is particularly concerning given the shift to digital across most sectors in the past year increasing the number of apps being utilized.

Manufacturing had the highest “window of exposure,” with nearly 70% of applications in the sector having at least one serious exploitable vulnerability, according to the AppSec Stats Flash Volume 2 report, a monthly analysis launched this year.

The top five vulnerability classes recorded by WhiteHat over the previous three months were information leakage, insufficient session expiration, cross site scripting, insufficient transport layer protection and content spoofing. The report authors noted that “the effort and skill required to discover and exploit these vulnerabilities is fairly low, thus making it easier for the adversary.”

Part of the problem appears to be the high average time to fix critical vulnerabilities, which was revealed to be 189 days across all industries. More encouragingly, there was a five-day improvement in the 12-month average compared to last month, falling from 194 days. Three sectors – educational services, public administration and real estate – took over a year on average to fix critical vulnerabilities.

Setu Kulkarni, VP, corporate strategy and business development at WhiteHat Security, commented: “In 2021, we have more detailed security and breach data than ever before. Yet, the state of application security remains very concerning. No application is built the same way and therefore each presents an entirely unique attack surface. That, combined with the fact that applications today are increasingly polymorphic presenting web, mobile and API-based interfaces, makes application security a multi-dimensional challenge.”

What’s Hot on Infosecurity Magazine?