SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

WhiteHat Makes the Case for DevSecOps

July 12, 2017

WhiteHat Security, the only application security provider that combines the best of technology and human intelligence to secure digital business, today announced the release of its 12th annual Application Security Statistics Report.

The WhiteHat Statistics report uses real application security data collected in the twelve months of 2016 from 15,000 web applications, billions of lines of code, and more than 65,600 mobile apps. The report comprises analysis of dynamic testing (DAST) results, and — new to this year’s report — static testing (SAST) results and DAST/SAST applied in combination, along with mobile app security data provided by WhiteHat partner NowSecure.

The report also includes a case study titled “Making the Case for DevSecOps”, profiling a Fortune 500 company that has seen dramatic improvements in the security of their applications as a result of applying a DevSecOps approach to building their digital products and experiences. By implementing an application security program that fosters positive collaboration, critical DAST vulnerabilities have been cut in half, and time-to-fix for SAST vulnerabilities is a fraction of industry average, significantly reducing their attack surface and operational-risk to the business.

Top findings in the 2017 report include:

  • Adoption of DevSecOps is imperative for application security to deliver competitive advantage. As the customer case study in the report illustrates, implementing an application security program that encourages positive collaboration between security and development can dramatically improve an organization’s security posture.
  • The application security posture of the average organization has improved but only marginally. In 2015, the web applications analyzed had an average of four vulnerabilities. That number dropped to three in 2016.
  • Almost half of all applications remain vulnerable on every single day of the year. Looking at the “Window of Exposure” across 13 different industries, WhiteHat found that most organizations are not able to resolve all of the serious vulnerabilities found in their applications. In the Utilities, Education, Accommodations, Retail, and Manufacturing sectors, approximately 60 percent of applications are “always vulnerable”.
  • Use of both SAST and DAST testing in tandem is essential for application security program effectiveness. Many organizations are still not employing both testing techniques. Certain code vulnerabilities take a shorter amount of time to fix and are easier to remediate during development, when static testing (SAST) is best employed. Other errors show up only in dynamic testing (DAST) of applications once in production. 
  • Organizations must take a risk-based approach to remediating application security flaws. Remediation priorities need to be set based on the criticality of the software errors found, not on how easy the vulnerability is to fix. Software developers need more education by security teams to understand the risk levels of different vulnerability types. 
  • High risk vulnerabilities still suffer the highest time-to-fix (TTF). High risk vulnerabilities took an average of 196 days to fix, up from an average of 171 in 2015. On the contrary, the report shows that Critical vulnerabilities were fixed quickest in 2016, within an average of 129 days, down from 146 days in 2015. As this and other findings suggest, remediation is too often being prioritized by path of least resistance (i.e. the ‘easiest’ vulnerabilities are the first to be fixed), leaving the organization significantly exposed.

In the mobile application security data provided by WhiteHat partner NowSecure, the top security issues and vulnerabilities by mobile application category were identified for the Android and iOS platforms. News, Games and Lifestyle applications were the top three most vulnerable categories of apps on the Android platform in 2016, while Music, News and Finance were the top most vulnerable categories on the iOS platform. The popularity of both Android and iOS is prompting most companies to create apps for both platforms, doubling the work – and the security challenge – facing developers.

“This year’s report reinforces the potential of DevSecOps to transform the security of the applications that drive today’s businesses,” said Ryan O’Leary, Vice President, Threat Research Center and Technical Support, WhiteHat Security. “As the case study indicates, a robust application security program that facilitates collaboration across security and development teams can reap amazing results. Considering that applications are literally at the core of our digital lives, it’s more important than ever to ensure that enterprises of all types can provide safe digital experiences.”

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement