Software security continues to be a top priority for organizations and development teams, but they are still struggling to address vulnerabilities in their applications. A recently released report revealed while organizations are beginning to increase their application testing efforts, their remediation rates are falling.
The 2019 WhiteHat Application Security Statistics report is based on data analysis from approximately 17 million application security scans.
“An increased awareness of application security risks has naturally expanded the scope of applications being tested. In fact, in a single year, we saw a 20% increase in the number of apps organizations are testing. At the same time, however, remediation rates have fallen, which is a huge concern. The limited pool of global application security professionals exacerbates the situation due to a constant shortage of skills and resources required to keep up with remediation/mitigation needs,” the report stated.
In addition, Setu Kulkarni, VP of strategy and business development at WhiteHat Security, explained that while organizations may be investing more in testing, they may not be investing enough in fixing vulnerabilities. Also, the use of embeddable components in the software supply chain may also be an issue when it comes to keeping up with vulnerabilities. For instance, the company found embedded components make up about a third of app security vulnerabilities, and there was a 50 percent increase in unpatched library bugs over the last year. “This is a dangerous trend, as more open source and third-party software is embedded in organizations’ own applications, and it underlines the need for software vendors that provide these components to raise their security standards,” he wrote in a post.
To address these issues, WhiteHat believes in a phase metrics-driven DevSecOps approach. This type of approach includes three phases:
- Risk discovery and management, which detects window of exposure, time-to-fix by risks and remediation rates by risk.
- Release assurance, which reveals the average time-to-fix, remediation rate by risk, and vulnerability prevalence by class
- Developer enablement, which looks at vulnerability prevalence by class as well as remediation rates by risk
“Unless and until you can measure something, you can’t make it better. Or, in our case, more secure. At each stage of the software lifecycle, capturing core metrics like those we outline in the DevSecOps approach will offer advanced insight into how applications are already at risk or can be exposed to risks, even when they are in production. These metrics offer the chance to make adjustments when they are far less costly to the organization,” the report stated.
Other findings of the report included: app security continues to be unbalanced across development security and operations; organizations that scan apps in production reduce their risk of being breached; DevSecOps has proven to reduce risk and costs, and improve time to market.
“Applications are under constant attack, and businesses continue to struggle against this tide. However, by embedding application security testing at each stage of the software lifecycle, organizations can make demonstrable improvements while reducing the time to delivery of secure applications,” said Craig Hinkley, CEO at WhiteHat.