NTT Application Security Report: Most Businesses Continue to Struggle with AppSec

The threat landscape surrounding web, mobile and API-based applications is evolving rapidly. Therefore, there is a critical need for a frequent and periodic analysis of the overall state of application security.

This week, NTT Application Security released its 6-month trend findings in its AppSec Stats Flash Vol. 7, reporting on the current state of application security and the wider threat landscape, including Window of Exposure (WoE), Vulnerability by Class, and Time to Fix. Each month, the AppSec Stats Flash reflects on the evolving threat landscape, tracks key AppSec metrics on an ongoing basis and brings forward key actionable takeaways for security and development teams who are responsible for the applications that run their business.


Top Highlights:

  • Applications in the Utilities sector continues to top the chart, with 66% of applications in the industry having at least one serious exploitable vulnerability throughout the year.

  • Education, Manufacturing, and Retail and Wholesale Trade applications each saw an increase in WoE this month. The Wholesale Trade sector experienced a 7% increase in the WoE, while Education, Retail Trade and Manufacturing rose by 4% and healthcare rose by 2%.

  • The Finance and Insurance sectors improved over last month, reporting a 2% drop in their WoE. Conversely, the Healthcare sector’s WoE increased by 2%.

  • The Wholesale Trade sector has seen a 15% increase in WoE, while Utilities has experienced an 11% increase since the beginning of the year.

  • Manufacturing, Public Administration and Healthcare are large sectors that have each seen a decline in their respective Window of Exposures, likely due to an increased focus on security following targeted breach activity and/or new regulation(s).

Report Key Takeaways:

  • Overall, the remediation rate for severe vulnerabilities is on the decline while the average time to fix is on the increase. These two trends contribute to an overall increase in the window of exposure for applications in general.

  • The top 5 vulnerability classes by prevalence remain constant - pointing to a systematic failure to address these well-known vulnerabilities.

  • The prevalence of HTTP Response Splitting is on the rise. Organizations should pay specia