Latest NTT Application Security Research Finds Average Time to Fix Severe Vulnerabilities Increased

NTT Application Security is releasing Volume 8 of the company’s monthly AppSec Stats Flash report, with statistics on the current state of application security and the broader industry. This month’s findings revealed that the average Time to Fix high severity vulnerabilities has increased by 10 days from 246 days last month to 256 days this month.

Each month, the AppSec Stats Flash reflects on the evolving threat landscape, tracks key AppSec metrics on an ongoing basis and brings forward key actionable takeaways for security and development teams who are responsible for the applications that run their business.

Key Findings from AppSec Stats Flash Volume 8 Include:

  • Increasing Window of Exposure (WoE) in critical industries like Utilities, Retail, and other high-profile sectors increases the risk for both supply chain type and ransomware exploits for organizations. The WoE metric represents the amount of time that an application has a serious vulnerability that can be exploited to data breaches.

  • The Top 5 vulnerability classes by prevalence remain constant, pointing to a systematic failure to address these well-known vulnerabilities and making it easier for adversaries to exploit applications.

  • A7 - XSS is the 4th most prevalent vulnerability type. A combinatorial line of attack should be employed to eliminate XSS vulnerabilities, including education around simple XSS vulnerabilities to promote mitigation/remediation, use of template engines to get in-built protection, and implementing contextual output encoding as a best practice.

“Of this month’s findings, the most important sector that I'd like to call out is retail. This month, retail trade saw an increase of three basis points in its WoE - from 58% last time to 61% this time”, said Setu Kulkarni, Vice President, Strategy, at NTT Application Security. “As we get closer to the last quarter of the year, there is going to be an expected increase in the transactions and activity on retail web and mobile applications and with that comes heightened risks for breach activity as well.”

In this latest research, the “Management of Companies and Enterprises” sector continued its run to become the most vulnerable sector. Among other risks, vulnerable applications are creating another attack vector to embed ransomware, especially for such a critical set of applications like holding companies of multi-billion-dollar assets.