DevOps and digital transformation initiatives are creating insecure apps
WhiteHat Security released its 2018 Application Security Statistics Report, “The Evolution of the Secure Software Lifecycle,” which identifies the security vulnerabilities and challenges introduced into the enterprise through traditional applications, and through agile development frameworks, microservices, APIs, and cloud architectures.
One of the greatest concerns is that with few exceptions, the number of serious vulnerabilities per site has increased across all major industries, despite some improvements in finance, healthcare and retail. Unfortunately, these verticals are still struggling with long windows of exposure combined with very high times to fix, which has driven up security risk levels compared with last year’s report.
“Businesses are transitioning from traditional applications and legacy systems, to web and mobile applications that are purpose-built to serve up superior customer experiences,” said Craig Hinkley, CEO of WhiteHat Security. “However, the downside of changing the software lifecycle to speed up the process is the inherent introduction of risk. Therefore, any organization that fails to build security into its app development process is willfully being left exposed to those ever-present threats.”
For executives and development teams that are building new applications as the cornerstone of their digital transformation initiatives, the challenges cut both ways. To drive growth and economies of scale, companies must adopt newer software development practices that quickly and easily add value to their offerings. In doing so, nearly 70 percent of every application is comprised of reusable software components (e.g. third-party libraries, open source software (OSS), etc.) That translates to those applications also “inheriting” the vulnerabilities in those software components. To guard against this, developers should incorporate software composition analysis (SCA) into the development process to capture these vulnerabilities early and prevent them from being introduced.
“DevOps is now mainstream, but the adoption of security within the DevOps process is still lagging. Our work to track this trend for the past three years has shown that organizations continue to grapple with an increase in application releases, increased volume and complexity of attacks, and an ever-widening AppSec skills gap,” said Setu Kulkarni, vice president of Corporate Strategy at WhiteHat Security. “However, we also find that organizations that successfully embed security into DevOps experience a 50 percent drop in their production vulnerabilities, and that their time to fix improves by 25 percent.”
Hinkley underscored the importance of DevSecOps, or integrating security into the software development life cycle, “When we see a year-over-year decline in overall remediation rates, that means AppSec and DevOps teams are too focused on fixing easy-to-patch medium- and lower-severity findings after the fact. To truly protect the enterprise, the focus must be on addressing severe vulnerabilities as soon as possible, or better yet – have security written into the design of business applications at the code level.”
Not unlike last year’s findings, the top four most likely DAST vulnerabilities to be discovered remain:
- Information leakage (45 percent)
- Content spoofing (40 percent)
- Cross site scripting (38 percent)
- Insufficient transport layer protection (23 percent).
While development innovations have become table stakes for success and they present challenges, there are also great opportunities to secure the applications, which are being produced and upgraded at an unprecedented rate.
To achieve evolutionary change in AppSec practices, organizations must focus on risk discovery and management. Not only should companies fix what vulnerabilities are found, but they should ensure these fixes are rapid, resulting in a much smaller window of exposure. Further, development teams must focus on release assurance—preventing the introduction of vulnerabilities into code and practicing verifying this before each iterative release. Finally, enterprises must commit to developer enablement, which provides education and empowerment throughout the software lifecycle by adding AppSec tools to the developer workspace.