WhiteHat Research Finds 40% of Apps Are At-Risk of Exposing Sensitive Data
March 2021 by WhiteHat
WhiteHat Security released AppSec Stats Flash Volume 3, the latest installment of the company’s monthly report and podcast reflecting on the current state of application security and the wider cyber threat landscape.
In AppSec Stats Flash Volume 3, WhiteHat Security’s Setu Kulkarni, vice president of corporate strategy and business development, and Zach Jones, senior director of detection research, are joined by Dino Boukouris, founder and managing director at Momentum Cyber, to primarily discuss how information leakage can expose vulnerabilities in connected applications across business-to-business partnerships, as well as analyze the latest application security data found in this month’s report.
“In any partnership or merger and acquisition activity, organizations reach a stage where they need to integrate applications integrations to sync data, enhance productivity and grow revenue. While application integration issues have been simplified, there is still no way to predict how their security posture will be affected by the complex orchestrations that form a digital supply chain,” said Kulkarni. “When two companies decide to integrate their applications, they should explicitly account for the risks that both companies will inherit, particularly concerning sensitive user and infrastructure data.”
Key findings from AppSec Stats Flash Volume 3 include:
More than 40 percent of applications are actively leaking information and are at-risk of exposing sensitive data. “When we talk about information leakage, we often do not realize the vast amount of sensitive or partially sensitive information that the applications we interact with are collecting,” said Jones.
Exposure of A3-Sensitive Data, one of the leading vulnerabilities reported within information leakage, can result in a supply chain-type attack across connected applications. “Too often, by the time a formal security assessment takes place in an acquisition, application security is viewed as a ‘check-the-box’ diligence item as opposed to a key value driver,” said Boukouris.
Applications in the manufacturing sector continue to report the highest Window of Exposure, with 70 percent of applications having at least one serious vulnerability open over the previous 12 months. “Window of Exposure is a major concern as applications remain increasingly vulnerable across all industries, particularly manufacturing and finance. To improve these metrics, security and DevOps teams must take a holistic approach to identifying, prioritizing, and remediating these vulnerabilities in a manner that configures all changes with the development controls in process,” said Kulkarni.