NTT Application Security is releasing Volume 9 of the
company's monthly AppSec Stats Flash report, which reflects on the evolving
threat landscape, tracks key AppSec metrics on an ongoing basis and brings
forward key actionable takeaways for security and development teams responsible
for the applications that run their businesses.
https://www.whitehatsec.com/appsec-stats-flash/
Each month, the AppSec Stats Flash reflects on the evolving
threat landscape, tracks key AppSec metrics on an ongoing basis and brings
forward key actionable takeaways for security and development teams who are
responsible for the applications that run their business. This month, the NTT
Application Security research team focused on cyberthreats targeting education
applications as security concerns in that sector continue to grow. Accelerated
online learning environments due to the pandemic and considerable rates of
ransomware and phishing attacks against K-12 schools have increased focus on
the unique cybersecurity challenges these organizations face.
Key Findings from AppSec Stats Flash Volume 9 Include:
- Although the education
sector's breach exposure has remained relatively consistent this year,
it's taking longer to fix high severity vulnerabilities compared to other
industries (206 days vs 201 days).
- Applications within the
education sector show an increased Window of Exposure (WoE) rate, rising
to 57% in August from 53% last month.
- 53% of applications in
the Education sector have at least one critical vulnerability exploitable
throughout the year. However, 34% of these applications have a Window of
Exposure of less than one month. This means that serious vulnerabilities
in 34% of applications in the sector get addressed within one month.
"The application security statistics for the Education
sector indicate a hyper focus among organizations in this sector on a handful
of critical web applications and fixing a handful of critical vulnerabilities
in those applications. The approach seems to be working given the otherwise
stable WoE metrics that are now in fact improving," said Setu Kulkarni, Vice President,
Strategy, at NTT Application Security.
"To accelerate the improvement in
the Education sector's overall application security posture, organizations in
the sector should expand their approach to identify their overall attack
surface and put in place a systematic program that progressively covers all
applications. In addition, Educational institutes should provide best-practice
training to students so that they can remain safe on the internet regardless of
the state of the application security of the apps they interact with on a daily
basis. Finally, educational institutions should demand that the SaaS and
non-SaaS products they uses in a COTS manner have been through rigorous AppSec
programs."