Manufacturing Has the Lowest Percentage of High-Severity Flaws but Needs to Improve Time to Remediation

Manufacturing Has the Lowest Percentage of High-Severity Flaws but Needs to Improve Time to Remediation

The past 12 months have been especially challenging for the manufacturing industry. The pandemic affected in-person manufacturing jobs as well as supply and demand, causing many manufacturing companies to shut their doors or lay off valuable employees. Recognizing the vulnerable state of manufacturing companies, cybercriminals saw manufacturing as an easy target. In fact, the manufacturing industry saw an 11 percent increase in cyberattacks in 2020.

And even more concerning, our recent State of Software Security v11 (SOSS) report found that, when compared to other industries, the manufacturing industry ranks last for fix-rate and median time to remediate security flaws. That means that the manufacturing industry has security flaws in applications that aren’t getting resolved in a timely manner. And more lingering flaws mean more opportunity for a cyberattack.

That said, it is reassuring to see that the manufacturing industry falls in the middle of the pack for the percentage of applications with flaws and – even better – has the lowest portion of applications with high-severity flaws.

Manufacturing SOSS

What are some steps that the manufacturing industry can take to improve its fix rate and half-life?

When reviewing the SOSS data, there are several factors contributing to the low fix rate and time to remediation. Some of the factors are simply the “nature” of the applications and can’t necessarily be changed. For example, applications in the manufacturing industry tend to be large and have a high flaw density. But there are several factors that can be “nurtured” to improve fix rate and time to remediation, like scanning via API, scan frequency, and using software composition analysis (SCA) with static analysis (SAST).

Manufacturing SOSS half life data

Just by scanning applications for flaws more frequently, industries improved their time to remediation by 22 days. By leveraging APIs, industries improved time to remediation by 18 days. It really comes down to adopting and implementing DevSecOps best practices.

And while talking about flaws, it’s important to note that the most common security flaws in the manufacturing industry are information leakage, CRLF injection, and code quality. Credentials management is also surprisingly common, perhaps due to the fact manufacturing used to not require authorization for applications.

For more information on software security trends in the manufacturing industry, check out The State of Software Security Industry Snapshot.

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.