What makes security pros so anxious about application security, asks Veracode in the ninth iteration of its State of Software Security report?
“The most important function of an application security program is how effectively flaws are fixed once they are discovered,” the report said. “There is no way to sugar coat it: the sheer volume of flaws and percentage of vulnerable apps remain staggeringly high.”
As we have seen with most high profile security breaches, not patching a new flaw quickly can lead to a data disaster down the road. Indeed, Veracode's research reveals that more than 70 percent of discovered vulnerabilities remain active one month later and some 55 percent are still unpatched three months down the road. It also concluded that DevSecOps unicorns do exist, and they’re fixing flaws 11.5 times faster than the typical organization.
In considering the overall landscape of software security, there’s obvious room for improvement in application security, Veracode said. For example, the rate of Open Web Application Security Project (OWASP) compliance declined for the third year in a row, with OWASP Top 10 initial scan pass rates at 22.5 percent. In addition, roughly 85 percent of all applications have at least one vulnerability and more than 13 percent have at least one very serious flaw.
Here’s some data from the report:
“Contrary to what some security staffers might believe, developers simply can’t wave a magic wand over the portfolio to fix the majority of flaws in an instant, or even in a week,” said Chris Eng, VP of research at Veracode, in the report. “However, our data presents hopeful glimpses at potential prioritizations and software development methods that could help organizations reduce risk more quickly,” he said. “This year’s analysis shows a very strong correlation between high rates of security scanning and lower long-term application risks, which we believe presents a significant piece of evidence for the efficacy of DevSecOps.”