Critical vulnerabilities persist in high-risk sectors
Finance and insurance sectors found to have the highest number of critical vulnerabilities, according to Black Duck.
Finance and insurance industry faces highest vulnerabilities
The report, which analyzes data from over 200,000 dynamic application security testing (DAST) scans conducted by Black Duck on approximately 1,300 applications across 19 industry sectors from June 2023 to June 2024, found variations in vulnerability types and remediation practices.
Of the 96,917 total vulnerabilities identified, the two most critical categories were cryptographic failures (weaknesses in how an application secures sensitive information), with over 30,000 instances, and injection vulnerabilities (when malicious code tricks an application into executing unintended actions or accessing data without proper authorization), with just over 4,800 instances.
Both pose threats to data across all industries, and potential breaches could lead to the theft of personally identifiable information (PII), financial data, and medical records, resulting in severe financial losses and reputational damage.
The Finance and Insurance industry (FSI) had the highest number of critical vulnerabilities across all site complexities, with 565 critical vulnerabilities identified for small FSI sites, 580 for medium sites,and 154 for large sites. The next-highest industry was Healthcare and Social Assistance, with 367, 486, and 139 critical vulnerabilities for small, medium, and large sites respectively.
Additionally, the report found that there’s no one-size-fits-all timeline for remediation approaches. In fact, there’s variance when it comes to the mean time to remediate (MTTR) across industries, with stringent regulations forcing finance and insurance to move quicker (28 days for smaller/lower complexity web assets), compared to the Utilities sector, which had the longest time to close (107 days for smaller/lower complexity web assets). This is likely due to the sector operating on legacy systems that are difficult to patch and update.
Operational disruptions pose a large business risk
Operational disruptions pose a large business risk, no matter the industry. The research found that widespread security misconfigurations (98% of applications affected) threaten business continuity and service availability.
Sensitive data exposure and injection vulnerabilities pose threats to sensitive data across all industries, potentially leading to data leaks, fines, financial losses, and reputational damage. Sensitive data at risk includes personally identifiable information such as Social Security numbers, banking information, login credentials, credit card numbers, medical records, and trade secrets.
In the educational services sector, an unaddressed vulnerability in a student information system could lead to the exposure of sensitive student data, including personal information, academic records, and financial details. Such a breach could result in identity theft, academic fraud, and violation of privacy laws like FERPA, leading to legal consequences and loss of trust in the institution.
“The high number of vulnerabilities found from the past year is a clear wake-up call that businesses cannot remain stagnant when deploying new security measures,” said Jason Schmitt, CEO, Black Duck. “The longer it takes for an organization to patch a vulnerability, the larger the chance of exploitation. Software risk equates to business risk, and with today’s malicious actors being more sophisticated than ever, it’s increasingly important that businesses across every sector build trust in their software by implementing a comprehensive and integrated approach.”