Another day, another discouraging report about web security. This time it's research from WhiteHat Security, a provider of web application security software, that found a large number of web apps are insecure. Most applications exhibit, on average, at least two serious vulnerabilities at any time, according to the report, which is based on aggregated scanning and remediation data obtained from applications that used WhiteHat's Sentinel service for application security testing in 2015.
In looking at the window of exposure, WhiteHat found that none of the 12 industries it reviewed did a very good job of resolving vulnerabilities in their web applications.
In three industries - insurance, energy and entertainment/media - about 30 percent of web apps are always vulnerable. Banking, financial services and technology fared somewhat worse, with their apps always vulnerable about 40 percent of the time.
Even worse were the health care, retail and education verticals, with apps always vulnerable about half the time. Apps are always vulnerable 57 percent of the time for the manufacturing and food/beverage industries. And at the scariest end of the spectrum, apps in IT are always vulnerable 60 percent of the time.
IT's Poor Application Security Performance
IT had the worst performance among industries in several other categories as well. For instance, IT had on average 32 vulnerabilities per website. In contrast, 9 of the 12 industries had fewer than 20 vulnerabilities per site.
In addition, IT had the highest average age for vulnerabilities remaining open, at 875 days. The range across the other 11 industries was 275 to 450 days. The report found that critical and high-risk vulnerabilities had an average age of 300 and 500 days, respectively.
IT also had the lowest remediation rate, 24 percent. Across the other 11 industries, remediation rate ranged from 42 percent to 66 percent. Only three industries, manufacturing, food/beverage and entertainment/media, had remediation rates above 50 percent.
All but two of the 12 industries improved their remediation rates in 2015, in some cases showing significant improvements. Remediation rates grew from 17 percent to 62 percent for the food/beverage industry over a two-year period, and the manufacturing industry nearly doubled its remediation rate, from 34 percent to 66 percent. IT dropped from a 46 percent remediation rate in 2013 to 24 percent in 2015.
And IT had the worst time-to-fix, 245 days. Across the other 11 industries, time-to-fix ranged from about 100 days to about 220 days. Seven of the industries had an average time-to-fix of fewer than 150 days.
So what gives with IT?
Setu Kulkarni, WhiteHat's vice president of Product Management, mentioned three factors. IT is not as regulated as some industries that need to comply with PCI, HIPAA and other industry-specific regulations, he said. In addition, IT's behavior may also be driven by the nature of sites, which typically contain non-sensitive content such as product or service descriptions and white papers. Because of the relative lack of sensitive content, he said, "they may not have an urgent need to remediate issues."
Also, Klukarni added, understanding of risk may be low in IT. "From our experience we have seen very mature risk management programs from customers in sectors such as financial services and banking. We don't see that level of maturity in IT."
Time-to-Fix Software Vulnerabilities
Writing on the company blog, Chief Marketing Officer Tamir Hardof highlighted an upward trend in the average time-to-fix. "In 2013, the average time-to-fix was approximately 100 days. The average time-to-fix in 2015 jumped to approximately 150 days, and this longer shelf time of vulnerabilities directly correlates with increased risk to the business," he wrote.
The metric "indicates that traditional application security strategies of detecting and remediating are not working... ," Hardof wrote, adding, "Whether it's an issue around feedback between developers and security teams, a lack of security resources or too little involvement from the executive board, it's clear application security is a problem that requires organization-wide collaboration from developers, security practitioners and business leaders."
Application Security Recommendations
The need for collaboration is an overarching theme of the report, which offers specific suggestions for executives, security practitioners and DevOps teams. Some of them are highlighted below.
- Use analytics to identify and prioritize the most business-critical applications that need to be secured
- Build a scorecard that will help you assess your security posture and compare your performance to others in your industry
- Empower security pros to hold developers accountable for application security
- Create a mandate to reward development teams for measuring and improving application security
For Security Professionals
- Identify security patches required for the underlying operating systems to provide your business applications a secure execution environment
- Work with IT to identify scheduled maintenance windows aimed at updating the OS for security patches
- Help development teams understand the composition of their applications and prioritize the vulnerable libraries to be fixed or upgraded
- Participate in development meetings to promote a secure application agenda
- Create a plan to mitigate critical vulnerabilities using technologies like web application firewalls, which can give dev teams time to produce remediation fixes
- Plan static application testing cycles throughout the software development lifecycle and baseline the software's security characteristics
For DevOps Teams
- Assess applications for security early in the development process; employ both source scanning and dynamic scanning as part of a continuous integration process
- Create a culture that rewards writing security flaw-free code
- Use application security tools and experts to perform security quality checks on software code, much as you use software quality tools and experts
Kulkarni mentioned the WhiteHat Security Index (WSI), which the company introduced last year and which he described as a way to assess application security status with a FICO-like score.
"Since we launched we've heard from some of our customers, especially those in financial services and health care, that it is an effective way to communicate the security posture of their web apps to their executive team," he said. "WSI has made the abstract more concrete for executives concerned about security, but that don't have a day-to-day responsibility for it. We're hoping WSI will also help security teams better communicate to developers the urgent need for putting secure coding practices in place."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.