Report: 50% of all web applications were vulnerable to attacks in 2021

Join today’s top leaders online at the Data Summit on March 9. Register here.


Global organizations continue to grapple with the growing wave of application-specific and web-based attacks. In fact, 50% of all sites were vulnerable to at least one serious exploitable vulnerability throughout 2021, according to a new report from NTT Application Security.

The report is the product of a comprehensive analysis of data generated from more than 15 million application security scans performed by organizations throughout 2021 – a year that will likely be remembered as one of most important to the broader cybersecurity landscape – and aims to provide practical guidance for security and development teams responsible for securing the web applications that run their business.

Highlighted by the Colonial Pipeline attack, President Biden’s executive order to “enhance the nation’s cybersecurity,” and the ongoing Log4j fallout, the events of the past year have put application security at the forefront. outline of all conversations. Despite the increased pressure to fix critical vulnerabilities in both public and private sector applications, there is evidence to suggest this has unintentionally led to an overall negative outcome, as “fire” remediation initiatives appear to be occurring as a compromise with – rather than an addition to – existing remediation efforts. These events, coupled with the explosive growth of web applications accelerated by the COVID-19 pandemic, as well as the rapid adoption of modern practices that enable developers to quickly build and deliver valuable functionality, have led the market to an inflection point in how we approach application security testing.

The finance and insurance sector (43%) had the smallest percentage of sites perpetually exposed throughout 2021, while the professional, scientific and technical services sector (65%) had the largest percentage of sites perpetually exposed. exposed.

The average time to fix a critical vulnerability in 2021 ended 1.7 days less than at the start (193.1 vs. 194.8). Although the data point shows a positive trend, the reduction is insignificant when considering the reported increase in time to resolution across all other risk categories throughout the year. The education sector (523.5 days) recorded the longest time to resolve a critical vulnerability of any sector, nearly 335 days longer than public administration (188.6 days), which maintained the shortest lead time throughout the year.

NTT Application Security found that the vulnerability classes most likely to be detected remained relatively static throughout the year, while also indicating that well-known vulnerability classes plagued applications. Considering that the effort and skill required to discover and exploit these vulnerabilities is quite low, it is clear that attackers have benefited from a target-rich environment in 2021.

Read the full report from NTT Application Security.

VentureBeat’s Mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more

Comments are closed.