Throughout 2021, half of all websites (50 percent) tested by the Application Security Division of NTT were exposed to at least one severe exploitable vulnerability, whereas just 27% were vulnerable for fewer than thirty days. The findings are released by NTT in their ‘AppSec Stats Flash: 2021 Year in Review’ report. This study examined data from over 15 million application security scans conducted by businesses in 2021.
The report examines changes in Window-of-Exposure and Time-to-Fix statistics across industry verticals including healthcare, manufacturing, utilities, and retail, with the goal of providing enterprises with practical key takeaways for protecting their online applications in the contemporary threat landscape.
Researchers from NTT Application Security discovered that half of all websites evaluated (50 percent) were vulnerable to at least one severe exploitable vulnerability in 2021, while just 27% were exposed for less than thirty days. Furthermore, the research reveals a troubling decreasing trend in businesses’ critical vulnerability repair rates, which declined from 54 percent to 47 percent over the course of the year.
“Marred by the Colonial Pipeline attack and the ongoing Log4j fallout, the events of 2021 brought application security to the forefront of the wider media and public conversation,” said Craig Hinkley, CEO at NTT Application Security.
Colonial Pipeline Attack, Log4j
To sum up, key findings from the report by NTT include:
- Half of all websites evaluated (50 percent) were exposed to at least one severe exploitable vulnerability throughout the full year, whereas 27% of sites tested were vulnerable for less than thirty days
- Across all industries, the Education industry had the longest Time-To-Fix a significant vulnerability (523.5 days), roughly 335 days longer than Public Administration (188.6 days), which had the smallest period throughout the year
- Finance and insurance had the lowest number of locations permanently exposed (43 percent), while Professional, Scientific, and Technical Services had the highest percentage (65 percent)
“Marred by the Colonial Pipeline attack and the ongoing Log4j fallout, the events of 2021 brought application security to the forefront of the wider media and public conversation,” said Craig Hinkley, Chief Executive Officer (CEO) at NTT Application Security. “Despite the elevated push to remediate critical vulnerabilities in both public and private sector applications, there’s evidence that suggests this inadvertently led to an overall negative result, as these initiatives seem to have occurred as a tradeoff with – rather than an addition to – existing remediation efforts. Moving forward, it is critical for application security programs to evolve toward a more comprehensive approach that brings together robust security testing, strategic remediation efforts and contextual education of developers, development operations and security operations personnel.”
The report also examines the most common types of security vulnerabilities discovered in application security tests throughout 2021. The five most likely vulnerability classes detected throughout the year were Information Leakage, Insufficient Session Expiration, Insufficient Transport Layer Protection, Cross-Site Scripting, and Content Spoofing.
Those interested in learning more about the NTT report findings can download the report here.