Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


Global organizations continue to struggle against the rising tide of application-specific and web-application attacks. In fact, 50% of all sites were vulnerable to at least one serious exploitable vulnerability throughout 2021, according to a new report by NTT Application Security.

The report is the product of an exhaustive analysis of the data generated from more than 15 million application security scans performed by organizations throughout 2021 — a year that will likely be remembered as one of the most significant for the wider cybersecurity landscape — and aims to provide actionable takeaways for security and development teams responsible for securing the web applications that run their business.

Highlighted by the Colonial Pipeline attack, President Biden’s Executive Order for “improving the nation’s cybersecurity,” and the ongoing Log4j fallout, the events of the past year brought application security to the forefront of all conversations. Despite the elevated push to remediate critical vulnerabilities in both public and private sector applications, there’s evidence that suggests this unintentionally led to an overall negative result, as “fire-drill” remediation initiatives seem to occur as a tradeoff with — rather than an addition to — existing remediation efforts. These events, coupled with the explosive growth in web applications accelerated by the COVID-19 pandemic, as well as the rapid adoption of modern practices that enable developers to rapidly build and deliver valuable functionality, have led the market to an inflection point in how we approach application security testing.

Bar graph of different classes of vulnerabilities and their percentage across different website applications. Information leakage is the most popular at 43.4%, followed by insufficient session expiration at 32.5% and insufficient transport layer protection at 24.2%.

The finance and insurance industry (43%) had the smallest percentage of sites perpetually exposed throughout 2021, while the professional, scientific, and technical services industry (65%) had the largest percentage of sites perpetually exposed.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

The average time-to-fix a critical vulnerability in 2021 ended 1.7 days shorter than it began (193.1 vs 194.8). While the data point does show a positive trend, the reduction is insignificant when considering the reported increase in time-to-fix across all other risk categories throughout the year. The Education industry (523.5 days) had the longest time-to-fix a critical vulnerability across all industries — nearly 335 days more than Public Administration (188.6 days), which maintained the shortest timeframe throughout the year.

NTT Application Security found that the vulnerability classes most likely to be detected remained relatively static throughout the year, while also indicating that well-known vulnerability classes plagued applications. Considering that the effort and skill required to discover and exploit these vulnerabilities is fairly low, it’s clear that attackers benefited from a target-rich environment in 2021.

Read the full report by NTT Application Security.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.