Enterprises Still Dont Base Vuln Remediation On Risk

  /     /     /  
Publicated : 22/11/2024   Category : security


Enterprises Still Dont Base Vuln Remediation On Risk


New White Hat study shows critical vulnerabilities arent fixed any faster than other security flaws.



Even after hearing years of dire warnings about the dangers of critical application vulnerabilities, enterprises are still falling down at the job of prioritizing risk in application security programs. In its
11th annual report on web security statistics
, White Hat Security this week showed that it takes months to years for most vulnerabilities to be fixed across all industries and that theres still lots of work to do in fixing the systemic reasons why vulnerabilities are remediated so slowly. 
Despite the growing number of breaches, the state of application security is not improving significantly, says Asma Zubair, director of product management for WhiteHat. Applications continue to remain vulnerable. About one-third of insurance applications, about 40 percent of banking and financial services applications, about half of healthcare and retail applications, and more than half of manufacturing, food and beverage, and IT applications are always vulnerable.
These statistics are derived from the aggregate data gathered from all of the scanning and remediation work done by WhiteHat in 2015. After crunching the data, it takes an average of 150 days to fix all vulnerabilities, but as Zubair points out, there are a significant number of vulnerabilities that are never fixed, with fewer than half of vulnerabilities being remediated. Additionally, the average time to fix a vulnerability reached a five-year high, after a dip for the previous two years.
Perhaps more troubling, though, is the fact that critical vulnerabilities are not remediated any more quickly than the rest of vulnerabilities, and high-risk vulnerabilities often take the longest of all to fix, with each type aging an average of 300 and 500 days, respectively. As the report notes, this shows that even when faced with limited resources to fix security flaws, organizations are not ranking them based on risk. 
This finding suggests that systematic risk-based prioritization of security vulnerabilities is not being performed, the report says.
When compared to enterprise swiftness in fixing critical software quality flaws, it becomes clear that executives and security practitioners are failing to set or enforce SLAs for fixing the security flaws, WhiteHats research says, explaining that organizations have to do a better job building security assessments and remediation processes into the software delivery lifecycle. 
Without that, attackers will continue to make hay while the sun shines. On the exploitation front, a
new study out from Akamai
this week shows that in the last fiscal quarter, there was a 25.5% increase of web application attacks, with particularly huge gains in web application attacks over HTTPS, which spiked by nearly 234%. Interestingly, theres also been a huge uptick in SQL injection attacks, with an 87.3% jump in that area.
 

Last News

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Enterprises Still Dont Base Vuln Remediation On Risk