Remediation rates for application vulnerabilities continue to worsen despite a strong emphasis on application security testing, a new study said.
Although customers are scanning 20 percent more applications, the effort hasn’t translated to retarding sliding remediation rates, according to the results of enterprise application security specialist WhiteHat Security’s, The DevSecOps Approach: Using AppSec Statistics to Drive Better Outcomes.
The security provider, which operates as an independent subsidiary of NTT Security (a Top 100 MSSP), contends that a three-phase approach to DevSecOps -- risk discovery and management; release assurance; and developer enablement -- enables security teams to deliver better performing and more secure applications.
This isn’t merely a bird’s eye view WhiteHat is touting: Organizations that have implemented the three-phased DevSecOps approach have reduced their window of exposure for apps that are always vulnerable to an average of 22 percent, while those that have not adopted DevSecOps show an average of more than 50 percent of apps are always vulnerable, the study found.
Key findings of the report include:
- The effort required to secure the rapidly growing volume of existing and new applications is overwhelming already short-staffed teams.
- AppSec investment is unbalanced across development, security and operations.
- Organizations that scan applications in production have a reduced risk of being breached.
- Organizations that embed security in DevOps are able to reduce risk, reduce cost and improve time to market.
- Embeddable components in the software supply chain account for one-third of all AppSec vulnerabilities.
“Applications are under constant attack, and businesses continue to struggle against this tide,” said Craig Hinkley, WhiteHat CEO. “However, by embedding application security testing at each stage of the software lifecycle, organizations can make demonstrable improvements while reducing the time to delivery of secure applications.”
WhiteHat’s recommendations:
- Implement a three-phased DevSecOps approach to facilitate communication, collaboration and consensus among IT security, DevOps, and IT Operations.
- Use Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) results for risk assurance, developer enablement and to drive consensus for an updated application security funding model.
- Incorporate software composition analysis (SCA) into your DevSecOps program. Since more than one third of all AppSec risks lie within ‘reused’ code (unpatched libraries), it’s essential to conduct SCA testing as part of the risk assurance process.
- Ensure balanced investment across Development, Security and Operations for Application Security.
- Develop an investment plan that allows security to test applications and DevOps/TechOps to get trained, mitigate/ remediate vulnerabilities and incorporate security testing throughout the Software Lifecycle.