2021 was a tough year for cybersecurity; ongoing SolarWinds attacks, Log4j vulnerabilities, many ransomware attacks, and much more. Besides all of those, there are also a lot of websites that were attacked by hackers who utilize the vulnerabilities on the codes. The cybersecurity company NTT Application Security has released a report about the flaws and the vulnerabilities of websites for the last year.
The education industry is the worst in fixing the flaws
NTT Application Security’s report uses the data generated from 15 million application security scans performed by organizations and focuses on healthcare, manufacturing, utilities, and retail websites. According to the report, 50% of the websites were vulnerable to at least one serious exploitable vulnerability. 27% of the websites were vulnerable for less than a month; which means the flaws were fixed in less than 30 days.
The report shows that the education industry is the slowest in fixing the critical vulnerabilities across all industries, taking 523 days on average. Public administration is the fastest with 188 days. The finance and insurance industries have the lowest percentage of websites exposed with 43%; professional, scientific, and technical services had the highest with 65%.
Craig Hinkley, chief executive officer of NTT Application Security said;
« Marred by the Colonial Pipeline attack and the ongoing Log4j fallout, the events of 2021 brought application security to the forefront of the wider media and public conversation. Despite the elevated push to remediate critical vulnerabilities in both public and private sector applications, there’s evidence that suggests this inadvertently led to an overall negative result, as these initiatives seem to have occurred as a tradeoff with -rather than an addition to- existing remediation efforts. Moving forward, it is critical for application security programs to evolve toward a more comprehensive approach that brings together robust security testing, strategic remediation efforts and contextual education of developers, development operations and security operations personnel. »