Does the DevSecOps approach make a difference when it comes to improving application security? According to this year’s 12th annual WhiteHat Security “Application Security Statistics Report,” it certainly does.

This year’s WhiteHat report includes a case study that details a large health organization’s successful implementation of a DevSecOps approach.  According to the study, critical vulnerabilities in applications were resolved in a fraction of the time it takes teams without a DevOps or DevSecOps approach. Part of the organization’s DevSecOps solution included training teams on secure coding techniques, dubbing trained employees “Security Heroes,” so they could foster positive collaboration and correct developer mistakes.

“[The organization] created a sustainable infrastructure for software development teams to be not only successful, but self-sufficient,” reads the study. “The cybersecurity team understands its role is to provide value, advice and expertise acting as change agents and thought leaders in application security. In the process, it has proven to be a true center of excellence for application security.”

The organization highlighted in WhiteHat’s case study identified key cultural and technological differences and motivators across its security and development teams, and later implemented an application security program that “bridged these differences, fostering collaboration and a shared commitment to application security,” writes Ryan O’Leary, vice president of the Threat Research Center at WhiteHat Security.

Major findings on AppSec statistics in 2017
In addition to the case study, this year’s report comprises analysis of dynamic testing (DAST) results, static testing (SAST) results, and DAST/SAST applied in combination, along with mobile app security data provided by WhiteHat Security partner, NowSecure. NowSecure provided data from the report’s mobile section, which examines the top security issues and vulnerabilities by mobile application category for the Android and iOS platforms.

Some statistics from the report show the application security posture of the average organization has improved, but only marginally. According to the report, in 2015, the web applications analyzed had an average of four vulnerabilities. This number dropped to three in 2016.

While there is some improvement, almost half of all applications remain vulnerable on every single day of the year. WhiteHat found that most organizations are not able to resolve all of the vulnerabilities found in their apps. In the Utilities, Education, Accommodations, Retail, and Manufacturing sectors, approximately 60 percent of applications are “always vulnerable,” according to WhiteHat.

These vulnerabilities are easier to fix if teams use both SAST and DAST testing, which WhiteHat found to be essential for application security program effectiveness. This year’s report found that many organizations are still not employing both testing techniques.

“This year’s report reinforces the potential of DevSecOps to transform the security of the applications that drive today’s businesses,” said O’Leary. “As the case study indicates, a robust application security program that facilitates collaboration across security and development teams can reap amazing results. Considering that applications are literally at the core of our digital lives, it’s more important than ever to ensure that enterprises of all types can provide safe digital experiences.”

While there are still too many vulnerabilities left in applications, there are two things that O’Leary said gives WhiteHat security “hope” for the future of AppSec. For instance, the fact that application security did improve by 25% is an overall sign that many organizations are starting to mature, even if it is at a slow pace.

And as their case study indicates, DevSecOps isn’t just another buzzword; it’s offering some “light at the end of the tunnel” for applications security teams and development teams, too.

“We’re starting to see real evidence of the value of security and development working together to protect the applications that we rely on every day both personally and professionally,” writes O’Leary.