The Majority of Applications are at Risk of Large Exploitable Vulnerabilities

Posted by Trevagh Stankard on Tue, Apr 27th, 2021

As we become more dependent on applications, its not surprising that apps are at huge risk of exploitable vulnerabilities.

It seems that enterprises now utilize an app for almost everything.  The proliferation of apps is the natural evolution brought out by digital transformation.  If anything, our critical business operations and daily work routines will grow more dependent on them. 

A recent study by WhiteHat Security, shows at least 50 percent of apps used by our most popular industry sectors contain one or more exploitable vulnerabilities.  These sectors include manufacturing, public services, healthcare, retail, education and utilities to name a few.  Manufacturing had the highest exposure level with nearly 70% of applications having at least one exploitable vulnerability.  While this fact is highly concerning for cybersecurity professionals, it is music to the ears of hackers and cybercriminals who are constantly looking for a chink in the armor of today’s enterprises that they can take advantage of. 

According to the report, the top five vulnerability classes recorded during the fourth quarter of 2020 included information leakage, insufficient session expiration, cross site scripting, insufficient transport layer protection and content spoofing.  The researchers behind the report stated that the skill level required to discover and fully exploit these vulnerabilities is fairly low.  It doesn’t take a lot of specialized training to take advantage of these vulnerabilities.

Unfortunately, the study’s conclusions may prove conservative.  According to the recent State of Software Security report by Veracode, 76% of all applications have at least one vulnerability.  The report also states however that only 24% of software contains a high-severity vulnerability. 

Application Exploits are Expensive

The abundance of exploitable vulnerabilities is creating financial consequences for many companies today.  According to the insurance provider, Hiscox, companies experienced cyber losses of $1.8 billion, a six-fold across the world compared to the previous 12 months.  The insurance provider states that companies in England are 15 times more likely to experience a cyberattack than a fire or theft. 

Application vulnerabilities cost companies money on several fronts.  Obviously there is the consequential cost of these vulnerabilities being used in a cyber attack.  But there is also the real cost of fixing these vulnerabilities.  This includes the cost of detection as well as a cost in remediation, as developer hours are not cheap. 

Why are Applications so Vulnerable?

A big reason why there are so many exploitable vulnerabilities is that there are so many applications.  Every application is different, using different coding practices.  This makes every application a unique attack surface.  Another contributing factor is the time it takes to fix these vulnerabilities.  The average time is 189 across all industries.  But that is assuming that the vulnerability does indeed get fixed.  According to the 2020 Mid-Year Attack Trends Report by Check Point, 80% of attacks use vulnerabilities reported three or more years ago.  In other words, the majority of attacks sustained in 2020 were made possible by exploitable vulnerabilities reported back in 2017.  Furthermore, the report showed that one in five attacks used vulnerabilities that are at least seven years old. 

According to Paloalto, 80% of public exploits are developed and released before a CVE alert can be published.  They found that the average public exploit is known 23 days before the CVE is published.  Over the past 22 years, that average has been as much as 40 days.  Word spreads quickly within the cybercriminal community and unscrupulous parties are quick to strike within these windows of opportunity.  There is no doubt we need to shrink the gap between vulnerability discovery and CVE publication.  And then of course there are zero-day vulnerabilities.  One study showed that 66 percent of malware detections during Q2 of 2020 involved the exploitation of zero-day vulnerabilities. 

Don’t Just Blame Software Companies

While the Check Point Report appears to be highly damaging to software companies, they are not the only ones to blame.  A big reason why attackers continue to exploit old vulnerabilities is because enterprises continue to utilize outdated operating systems and software.  According to a Spiceworks survey back in 2019, 32 percent of companies were still using Windows XP systems at the time.  As of last December, it is estimated that 8.5% of Windows computers are running Windows 7.  Once an OS or application is deprecated, it is no longer supported and the vendor ceases patching efforts.  Of course, just because patches are released, doesn’t mean that customers will utilize them. According to the U.S. Cyber Agency, the failure to patch vulnerabilities, many of which more than a year old, puts organizations at significantly higher risk of compromise.  The agency reports that one of the top 10 most commonly exploited vulnerabilities was first disclosed in 2012. 

Cybersecurity experts are constantly harping on keeping all systems and software fully patched and up to date.  While it may sound like a broken record, there’s a reason why they constantly reiterate this message – it works!

TitanHQ is a multi-award winning cybersecurity vendor. Learn more about TitanHQ and how we can protect your business with Email Security, DNS Filtering and Email Archiving for Compliance.