Who fixes the most vulnerabilities?

Web and mobile applications produced or used by government organizations are more likely than those in other industries to fail standard security policies like the OWASP Top 10 when initially assessed for risk.

Veracode’s analytics also show that government organizations only remediate 27 percent of application vulnerabilities once detected – last among the seven vertical markets analyzed. Moreover, government applications have the highest prevalence of SQL Injection vulnerabilities – commonly used to steal sensitive data from databases – upon initial assessment. In contrast, financial services and manufacturing ranked best across most categories, with healthcare, retail and hospitality near the bottom.

Cris Thomas, Strategist of Tenable Network Security, told Help Net Security that while the numbers themselves sound surprising, it really is the status quo among not just government, but as the report shows with all organizations. “Considering that these are mostly problems that we know how to fix, that we have known how to fix them for years, the numbers aren’t surprising, they are just sad. If companies just spend a little time practicing the basic fundamentals of security they could greatly reduce these numbers for their organization. One of those fundamentals is to patch, and then verify that the patches actually got applied. The only way a vulnerability can linger on your network is if you don’t patch in a timely manner,” Thomas added.

As organizations increasingly rely on software to drive their businesses, the threat surface available to cyberattackers has expanded. As a result, one of the leading causes of data breaches over the past two years has been vulnerable applications, according to Verizon’s 2015 Data Breach Investigations Report. Yet, analytics collected from more than 200,000 application risk assessments over the last 18 months found a wide disparity in how the problem is addressed across industries.

Benchmarking across industry verticals provides a fascinating insight into the maturity of various sectors, according to Raj Samani, VP and CTO EMEA at Intel Security. “Perhaps the most concerning however is how poorly the healthcare, and also government verticals fare when compared with private sector. Considering the amount of data collected, and particularly sensitive data we really ought to see the attention from these sectors to be faring higher. One of the reasons could be the lack of in-house expertise, but with the availability of external remediation services available this should not really be used as an excuse,” Samani added.

Reliance on outdated programming languages has hamstrung government security. The government ranks last among vertical markets, with three out of four government applications failing the OWASP Top 10 when initially assessed for risk. Part of the reason for this is that many government agencies still use older programming languages such as ColdFusion which are known to produce more vulnerabilities.

The financial services and manufacturing industries’ attention to software security pays off. In contrast to the government sector, organizations in financial services and manufacturing more proactively remediate the majority of their vulnerabilities (65 and 81 percent respectively). These results appear to indicate a higher institutional awareness of application security risk and a stronger emphasis on enforcing enterprise-wide policies, monitoring key performance indicators (KPIs) and instituting continuous improvement processes.

Healthcare organizations fare poorly. Given the large amount of sensitive data collected by healthcare organizations, it’s concerning that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment. In addition, healthcare fares near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.

Significant risk is introduced by the software supply chain. Nearly three out of four applications produced by third-party software vendors and SaaS suppliers fail the OWASP Top 10 when initially assessed.

After reading the Veracode report, Muddu Sudhakar, CEO of Caspida, discovered it’s primarily focused on application security, particularly emphasizing policy-driven approaches as a panacea. “This report misses attacks such as APTs, insider threats, and other malware. Today’s new cyberattacks are unknown and are often unclassified or uncategorized using traditional security approaches. Ultimately, these types of threats present the biggest danger to organizations and their data. For these new breeds of attacks, organizations require more sophisticated tools, such as big data analytics, machine learning algorithms and threat detection for APTs, malware and insider attacks, to effectively combat these threats, Sudhakar added.

Don't miss