According to a report released June 22 by White Hat Security, two-thirds of utilities’ applications and 63% of public administration organizations’ applications contain serious vulnerabilities that put applications at risk of cyber attacks on a daily basis.

The average repair time of the top three public infrastructure vulnerabilities is 288 days

In all, 11 industries last year had at least half of all applications with serious vulnerabilities every day. In the top three industries — utilities, public administration and professional services — these vulnerabilities took an average of at least 288 days to fix, according to the company’s Monthly AppSec Stats Flash report for June. Over the past three months, the average time needed to fix critical vulnerabilities was 205 days, up from 194 days in the January report and significantly higher than the 148 days for all of 2020.

Setu Kulkarni, vice president of strategy at White Hat Security, said bugs are slow to be fixed because, in many cases, there is no development team in place to deal with problems left in applications. Because applications tend to take a long time to develop, it’s likely that the original development team will no longer exist when bugs are discovered, and even code written by yourself will look unclear over time, not to mention how hard it is to fix someone else’s code.

Testing new applications and legacy applications that have not been tested before is partly responsible for the increase in vulnerabilities in all three industries, According to White Hat. Frequent attacks on critical infrastructure and the growing use of telecommuting have led companies in this area to test software on a large scale, which is why this area has moved up the rankings. It is also a sign that the industry is becoming more aware of overall security, as some applications may only be tested once before deployment. In major industry sectors, the number of applications tested increased by about 10%, with an average of two vulnerabilities found per site.

The financial and insurance industries use DevsecOps to speed up bug fixes

Finance and insurance companies – an industry often targeted in the past – have done much better, but they have not stood out. # 13 on the list of industries that have long exposed vulnerabilities. Forty-three percent of applications were consistently vulnerable, compared with 29 percent that were vulnerable in 30 days or less.

But the industry’s clear advantage is that when companies discover an exposed vulnerability or weakness, they can fix or mitigate them within 30 days, much faster than any other industry. They use agile development and DevsecOps and other cutting-edge technology processes, while security tools such as static code inspection tool (SAST), dynamic application security testing (DAST) and other mature application security technology in the development process.

Open source code vulnerability into hidden danger developers lack of security awareness

Although the report did not address whether developers’ source code could be exposed to vulnerabilities by open source components, a report by a security firm found that 79% of developers did not update their applications after introducing open source code. But regularly updating software and bug patches is crucial, as 92% of open source vulnerabilities are fixed through updates. Open source code has become an indispensable part of enterprise applications, but developers have not paid enough attention to the potential vulnerabilities in the open source code. With the gradual increase and weaponization of open source code vulnerabilities, it is recommended to introduce the open source code scanning tool SCA in the development process to help efficiently find code vulnerabilities.

Another key problem is that developers continue to make the same mistakes. The top five vulnerabilities in the report have not changed over time, with the most common vulnerabilities being information leakage, insufficient session expiration, inadequate transport layer protection, cross-site scripting and content spoofing.

The foundation of software security lies in the attention paid to security by personnel, including but not limited to managers and developers. Only when the complete safety management measures are concretely implemented and carried out, can they play the biggest role. Therefore, while deploying and improving the software security development cycle, we should also pay attention to the safety education and training of personnel, so that the security awareness and concept throughout the whole development process.

Reference link:

www.woocoom.com/b021.html?i…

www.darkreading.com/application…