And even more concerning, our recent State of Software Security v11 (SOSS) report found that, when compared to other industries, the manufacturing industry ranks last for fix-rate and median time to remediate security flaws. That means that the manufacturing industry has security flaws in applications that aren’t getting resolved in a timely manner. And more lingering flaws mean more opportunity for a cyberattack.
That said, it is reassuring to see that the manufacturing industry falls in the middle of the pack for the percentage of applications with flaws and – even better – has the lowest portion of applications with high-severity flaws.
What are some steps that the manufacturing industry can take to improve its fix rate and half-life?
When reviewing the SOSS data, there are several factors contributing to the low fix rate and time to remediation. Some of the factors are simply the “nature” of the applications and can’t necessarily be changed. For example, applications in the manufacturing industry tend to be large and have a high flaw density. But there are several factors that can be “nurtured” to improve fix rate and time to remediation, like scanning via API, scan frequency, and using software composition analysis (SCA) with static analysis (SAST).
Just by scanning applications for flaws more frequently, industries improved their time to remediation by 22 days. By leveraging APIs, industries improved time to remediation by 18 days. It really comes down to adopting and implementing DevSecOps best practices.
And while talking about flaws, it’s important to note that the most common security flaws in the manufacturing industry are information leakage, CRLF injection, and code quality. Credentials management is also surprisingly common, perhaps due to the fact manufacturing used to not require authorization for applications.
For more information on software security trends in the manufacturing industry, check out The State of Software Security Industry Snapshot.