New Report Shows Half of Websites Were Vulnerable to Exploitation Throughout 2021

SAN JOSE, Calif., Feb. 18, 2022 /PRNewswire/ — The Application Security Division of NTT Ltd., a world leader in application security, today released AppSec Stats Flash: 2021Year in Review, an analysis of the data generated from more than 15 million application security scans performed by organizations throughout 2021. The report focuses on changes within Window-of-Exposure and Time-to-Fix data across industry verticals, such as Healthcare, Manufacturing, Utilities and Retail, and aims to arm organizations with actionable key takeaways for securing their web applications in the modern threat landscape.

NTT Application Security Logo (PRNewsfoto/WhiteHat Security)

Within the report, NTT Application Security researchers found that half (50 percent) of all sites tested were vulnerable to at least one serious exploitable vulnerability throughout 2021, while only 27 percent were vulnerable less than thirty days. Additionally, the report uncovers a concerning downward trend in organizations’ remediation rates of critical vulnerabilities, which fell from 54 percent to 47 percent throughout the course of the year.

Key findings from the report include:

  • Half (50 percent) of all sites tested were vulnerable to at least one serious exploitable vulnerability throughout the entire year while 27 percent of sites tested were vulnerable less than thirty days throughout the year.
  • The Education industry had the longest Time-To-Fix a critical vulnerability across all industries (523.5 days) —nearly 335 days more than Public Administration (188.6 days), which maintained the shortest timeframe throughout the year.
  • The Finance and Insurance industry had the lowest percentage of sites perpetually exposed (43 percent), while Professional, Scientific and Technical Services had the highest percentage (65 percent).

“Marred by the Colonial Pipeline attack and the ongoing Log4j fallout, the events of 2021 brought application security to the forefront of the wider media and public conversation,” said Craig Hinkley, chief executive officer at NTT Application Security. “Despite the elevated push to remediate critical vulnerabilities in both public and private sector applications, there’s evidence that suggests this inadvertently led to an overall negative result, as these initiatives seem to have occurred as a tradeoff with—rather than an addition to—existing remediation efforts. Moving forward, it is critical for application security programs to evolve toward a more comprehensive approach that brings together robust security testing, strategic remediation efforts and contextual education of developers, development operations and security operations personnel.”

The report also examines the most common types of security vulnerabilities discovered in application security tests throughout 2021. Information Leakage, Insufficient Session Expiration, Insufficient Transport Layer Protection, Cross-Site Scripting and Content Spoofing were found to be the five most likely vulnerability classes identified throughout the year.  

Those interested in learning more about the findings can download the report today, or visit here to find previous AppSec Stats Flash reports examining the state of application security on a month-by-month basis.

For more information about NTT’s Application Security Division and its recently launched WhiteHat Vantage platform, please visit

About NTT

NTT Ltd. is a leading global technology services company. Working with organizations around the world, we achieve business outcomes through intelligent technology solutions. For us, intelligent means data driven, connected, digital and secure. Our global assets and integrated ICT stack capabilities provide unique offerings in cloud-enabling networking, hybrid cloud, data centers, digital transformation, client experience, workplace and cybersecurity. As a global ICT provider, we employ more than 40,000 people in a diverse and dynamic workplace that spans 57 countries, trading in 73 countries and delivering services in over 200 countries and regions. Together we enable the connected future. Visit us at

Media Contact

Chris Marsh

Senior Manager, Analyst Relations & Communications

NTT Application Security

[email protected]

Allison Arvanitis

Lumina Communications for NTT Application Security

[email protected] 


Cision View original content to download multimedia:


Global Tomographic Explosives Detection Systems & BHS Market Report 2022, Featuring Key Players Analogic, Dalmec, Eurologix Security, Leidos and Siemens

Advanced Space Completes Milestone Testing for its Mission to the Moon