A new report from security testing platform Synack shows a rise in critical-severity vulnerabilities in 2023 compared to 2022.
On a positive note though, despite mounting pressures on security teams, organizations have reduced their mean time to remediation for critical-severity vulnerabilities by 24 days and high-severity vulnerabilities by 18 days, down to 56 and 74 days, respectively.
“Understanding your attack surface and how successful exploitation of vulnerabilities could impact your organization is crucial to making smart security and business decisions,” says Jay Kaplan, CEO and co-founder of Synack. “We’re proud to release Synack’s second annual State of Vulnerabilities Report to help organizations in the healthcare, financial services, federal government, technology and manufacturing sectors understand what vulnerabilities they’re up against and how they can stay one step ahead of attackers. We’re seeing a lot of reasons to be optimistic, but that doesn’t mean the threat is diminishing.”
The report identifies the same categories of vulnerabilities persisting year after year, indicating increased threats surrounding injection flaws, which were highlighted in a recent Secure by Design Alert by the Cybersecurity and Infrastructure Security Agency. The healthcare and technology sectors have both seen an increase in SQL injections, and injection flaws including XSS accounted for roughly a third of all vulnerabilities Synack discovered in 2023.
On average, healthcare companies had more than 5,400 subdomains, 1,500 web applications and 1,400 IP addresses publicly exposed — the biggest attack surface of any industry sector reviewed. Of vulnerabilities found, nearly 1,900 were SQL injections rating as critical or high-severity.
Injection flaws magnified the security strengths and weaknesses of different industries. On average, financial services companies took 53 days to remediate SQL injection vulnerabilities, technology companies remediated them in 57 days and healthcare companies took just 45 days.
The full report is available from the Synack site.
Image credit: Funtap/depositphotos.com
