Experts at application security leader WhiteHat Security detail how a lack of synergy between development and security teams affects enterprise apps’ security.
As many as 70% of manufacturing apps featured at least one serious exploitable vulnerability throughout 2020. So did 60% of healthcare apps that offer essential services to people worldwide, experts at application security leader WhiteHat Security have revealed.
In its planned series of monthly podcasts and statistics called AppSec Stats Flash, the first episode aired on Thursday, WhiteHat Security refers to this as the Window of Exposure (WoE), the number of days an app is exposed with a critical vulnerability.
â€œIn the last 12 months, two things have stood out â€“ the acceleration of application delivery and the rapidness with which the threat landscape surrounding these applications continues to evolve,â€ Setu KulkarniOpens a new window , VP, Corporate Strategy & Business Development, told Toolbox.
Kulkarni said their decision to do away with annual reports for monthly updates was â€œsparked by the constant struggle being experienced by not just our customers but the market at large â€“ how do they bring safe applications to market rapidly.â€ A study by Ponemon found that more than 50% of developers are under pressure to develop applications faster than before digital transformation kicked in. As a result, they see security as an obstacle rather than an inherent need in applications.
In the January episode of AppSec Stats Flash, Kulkarni and Zach JonesOpens a new window , the Sr. Director of Detection Research at WhiteHat Security, analyzed several other sectors besides manufacturing and healthcare for their Windows of Exposure.
Aside from manufacturing and healthcare apps, 67% of public administration apps were also found to carry at least one vulnerability for all 365 days (between January 1, 2020 to January 1, 2021) WoE. Apart from these, over half (but not more than 60%) of all apps had a year-long WoE, including apps from sectors such as enterprise management, information, education, social assistance, retail, professional & scientific services, utilities, and real estate.
The reason can be attributed to a surge in the rollout of applications, lack of properly trained staff, and most importantly, developers not prioritizing security as a function on par with delivery.
â€œWhen certain industries focus on new trends or new markets, security often falls by the wayside. Based on our statistics, there is a clear divide in different organizations’ efforts around remediation, secure development and process that is easily seen in the window of exposure statistics,â€ Jones told Toolbox.
â€œIn healthcare, for instance, we have seen the window of exposure rise by fifteen percent and while this is a concerning metric, it is not surprising due to the speed at which healthcare needed to adapt in 2020 due to the pandemic,â€ he added.
See Also: Top 10 Application Security Tools 2021
What’s more concerning is that the divide between DevOps and SecOps has caused the time-to-fix, i.e., the time taken by teams to rectify any security flaws in an app, is â€œseeing a dangerous upwardly trend,â€ according to Kulkarni.
Commenting on inherent vulnerabilities in a vast majority of applications that remain unfixed for long periods, Vishwas ManralOpens a new window , Founder & CEO at NanoSecOpens a new window , believes measurement, ownership and collaboration are key for a successful DevOps and SecOps partnership.
â€œI think the things that we’ve seen, that work are basically around having collaboration as a set. It’s about a lot of measurement, continuous measurement, continuously figuring out , you know, what is working, what is not working. It’s about end-to-end responsibility from startup to grave. If you have responsibility, from development to test, to production, and you know you’re owning the security all along, that’s where things actually work,â€ he said.
But it’s not all gloomy. Some industries, such as finance are doing better than others and have witnessed a decline in the WoE for their apps.
â€œFinance is clearly doing well. Obviously, many financial applications have direct dollars as exposure and this has historically driven focus on the security of those applications in the finance industry,â€ said Jones.
Besides finance, other sectors that have fared better than manufacturing and healthcare include agriculture, arts & entertainment, and construction. These industries had less than one-third of their apps with critical or high severity vulnerabilities for a period of one year.
â€œOverall, one of the things we commonly see when we see spikes or drops in measures like this in a specific industry or specific type really has to do with focus. We see that when certain industries focus on new things, changes in their industry, new trends, new markets, security often gets left to the side,â€ Jones added.