WhiteHat Security today released its 2018 Application Security Statistics Report,
"The Evolution of the Secure Software Lifecycle," which identifies the
security vulnerabilities and challenges introduced into the enterprise
through traditional applications, and through agile development
frameworks, microservices, application programming interfaces (APIs),
and cloud architectures.
WhiteHat's annual study was published in partnership with NowSecure, providers of automated mobile app security testing; and Coalfire, providers of cyber risk management and compliance services for public and private enterprises.
One
of the greatest concerns discovered by these methods, alongside
WhiteHat's application security testing, is that with few exceptions,
the number of serious vulnerabilities per site has increased across all
major industries, despite some improvements in finance, healthcare and
retail. Unfortunately, these verticals are still struggling with long
windows of exposure combined with very high times to fix, which has
driven up security risk levels compared with last year's report.
"Businesses
are transitioning from traditional applications and legacy systems, to
web and mobile applications that are purpose-built to serve up superior
customer experiences," said Craig Hinkley, CEO of WhiteHat Security.
"However, the downside of changing the software lifecycle to speed up
the process is the inherent introduction of risk. Therefore, any
organization that fails to build security into its app development
process is willfully being left exposed to those ever-present threats."
For
executives and development teams that are building new applications as
the cornerstone of their digital transformation initiatives, the
challenges cut both ways. To drive growth and economies of scale,
companies must adopt newer software development practices that quickly
and easily add value to their offerings. In doing so, nearly 70 percent
of every application is comprised of reusable software components (e.g.
third-party libraries, open source software (OSS), etc.) That translates
to those applications also "inheriting" the vulnerabilities in those
software components. To guard against this, developers should
incorporate software composition analysis (SCA) into the development
process to capture these vulnerabilities early and prevent them from
being introduced.
"DevOps
is now mainstream, but the adoption of security within the DevOps
process is still lagging. Our work to track this trend for the past
three years has shown that organizations continue to grapple with an
increase in application releases, increased volume and complexity of
attacks, and an ever-widening AppSec skills gap," said Setu Kulkarni,
vice president of Corporate Strategy at WhiteHat Security. "However, we
also find that organizations that successfully embed security into
DevOps experience a 50 percent drop in their production vulnerabilities,
and that their time to fix improves by 25 percent."
Hinkley
underscored the importance of DevSecOps, or integrating security into
the software development life cycle, "When we see a year-over-year
decline in overall remediation rates, that means AppSec and DevOps teams
are too focused on fixing easy-to-patch medium- and lower-severity
findings after the fact. To truly protect the enterprise, the focus must
be on addressing severe vulnerabilities as soon as possible, or better
yet - have security written into the design of business applications at
the code level."
Not unlike last year's findings, the top four most likely DAST vulnerabilities to be discovered remain:
- Information leakage (45 percent)
- Content spoofing (40 percent)
- Cross site scripting (38 percent)
- Insufficient transport layer protection (23 percent)
While
development innovations have become table stakes for success and they
present challenges, there are also great opportunities to secure the
applications, which are being produced and upgraded at an unprecedented
rate.
To
achieve evolutionary change in AppSec practices, organizations must
focus on risk discovery and management. Not only should companies fix
what vulnerabilities are found, but they should ensure these fixes are
rapid, resulting in a much smaller window of exposure. Further,
development teams must focus on release assurance-preventing the
introduction of vulnerabilities into code and practicing verifying this
before each iterative release. Finally, enterprises must commit to
developer enablement, which provides education and empowerment
throughout the software lifecycle by adding AppSec tools to the
developer workspace.
To view the full report, please visit https://info.whitehatsec.com/Content-2018StatsReport_LP.html.