In 2021, manufacturing became cybercriminals’ most targeted industry as a surge in global ransomware attacks disrupted manufacturing operations and exacerbated supply chain woes. This put even more pressure on manufacturing organizations that were already feeling the heat.
Recognizing that ransomware attacks can stem back to software vulnerabilities, many manufacturers are exploring ways to strengthen their software security programs. Our recent State of Software Security report v12 (SOSS), which analyzed 20 million scans across half a million applications, identified several manufacturing-specific trends that may help focus these efforts.
First up, some good news: The manufacturing industry now boasts the lowest number of software security flaws across all sectors, dethroning financial services from last year’s top spot. However, the manufacturing sector is also tied for the lowest number of flaws that are fixed. This means that manufacturing companies have security flaws in applications that aren’t getting resolved in a timely manner – especially when it comes to open-source code.
Closing the manufacturing sector’s fix time gap
The imbalance between overall flaws and fix rates can be partly attributed to the specialized industrial applications found in manufacturing, which tend to have fewer flaws that are harder to fix compared to those in other industries. Some of the most common software flaws across the manufacturing sector include server configuration, insecure dependencies, and information leakage.
Digging further into SOSS data, we see that manufacturing lags most other sectors in fixing 50 percent of flaws once they’re detected: 206 days for dynamic (DAST) analysis, 403 days for static (SAST) analysis, and 532 days for software composition analysis (SCA) scans.
Flaws in third-party libraries tend to stick around. And this is especially true for the manufacturing sector, which is about six months slower to make fixes compared to other industries. After two years, 40 percent of vulnerable libraries remain unresolved.
For manufacturing organizations, identifying ways to close this fix time gap – for instance, by scanning applications earlier and more frequently, and adding hands-on security training to the mix – will go a long way in limiting opportunities for cyberattackers and mitigating future risk.
For more information on software security trends in the manufacturing industry, check out The State of Software Security Industry Snapshot: Manufacturing.