Half of websites vulnerable to exploitation in 2021

NTT Application Security analysis reveals trends across industries, highlighting continued exposure and lengthy time-to-fix for critical vulnerabilities

The Application Security Division of NTT Application Security company has released AppSec Stats Flash: 2021Year in Review, an analysis of the data generated from more than 15 million application security scans performed by organisations throughout 2021. The report focuses on changes within Window-of-Exposure and Time-to-Fix data across industry verticals, such as Healthcare, Manufacturing, Utilities and Retail, and aims to arm organisations with actionable key takeaways for securing their web applications in the modern threat landscape.

Within the report, NTT Application Security researchers found that half (50 per cent) of all sites tested were vulnerable to at least one serious exploitable vulnerability throughout 2021, while only 27 per cent were vulnerable less than thirty days. Additionally, the report uncovers a concerning downward trend in organizations' remediation rates of critical vulnerabilities, which fell from 54 per cent to 47 per cent throughout the course of the year.

Key findings from the report include:

  • Half (50 per cent) of all sites tested were vulnerable to at least one serious exploitable vulnerability throughout the entire year while 27 per cent of sites tested were vulnerable less than thirty days throughout the year.
  • The Education industry had the longest Time-To-Fix a critical vulnerability across all industries (523.5 days) —nearly 335 days more than Public Administration (188.6 days), which maintained the shortest timeframe throughout the year.
  • The Finance and Insurance industry had the lowest percentage of sites perpetually exposed (43 per cent), while Professional, Scientific and Technical Services had the highest percentage (65 per cent).

Craig Hinkley, chief executive officer at NTT Application Security says: "Marred by the Colonial Pipeline attack and the ongoing Log4j fallout, the events of 2021 brought application security to the forefront of the wider media and public conversation.

"Despite the elevated push to remediate critical vulnerabilities in both public and private sector applications, there's evidence that suggests this inadvertently led to an overall negative result, as these initiatives seem to have occurred as a trade off with—rather than an addition to—existing remediation efforts. Moving forward, it is critical for application security programs to evolve toward a more comprehensive approach that brings together robust security testing, strategic remediation efforts and contextual education of developers, development operations and security operations personnel."

The report also examines the most common types of security vulnerabilities discovered in application security tests throughout 2021. Information Leakage, Insufficient Session Expiration, Insufficient Transport Layer Protection, Cross-Site Scripting and Content Spoofing were found to be the five most likely vulnerability classes identified throughout the year.  


Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security