Traditional applications continue to introduce risks into the enterprise, and the number of serious vulnerabilities has increased across most sectors, according to WhiteHat Security. The 2018 Application Security Statistics Report: The Evolution of the Secure Software Lifecycle found that in addition to traditional applications, the vulnerabilities in agile development frameworks, micro-services, application programming interfaces (APIs) and cloud architectures also pose security challenges.
While the financial, healthcare and retail sectors have seen some improvements, all major industries struggle with long windows of exposure. When combined with the length of time to fix vulnerabilities, these factors have elevated risk levels beyond those of last year’s report.
“Businesses are transitioning from traditional applications and legacy systems to web and mobile applications that are purpose-built to serve up superior customer experiences,” said Craig Hinkley, CEO of WhiteHat Security. “However, the downside of changing the software lifecycle to speed up the process is the inherent introduction of risk. Therefore, any organization that fails to build security into its app development process is willfully being left exposed to those ever-present threats.”
New applications have become the very foundation of an enterprise’s digital transformation and to add value to their offerings, companies have had to adopt new software development practices. Yet the report findings suggest that businesses are still not building security into the app development lifecycle.
According to the report, nearly 70% of every application is comprised of reusable software components. In addition, the top four most likely vulnerabilities – information leakage (45%), content spoofing (40%), cross-site scripting (38%) and insufficient transport layer protection (23%) – have not changed in the past year.
“DevOps is now mainstream, but the adoption of security within the DevOps process is still lagging. Our work to track this trend for the past three years has shown that organizations continue to grapple with an increase in application releases, increased volume and complexity of attacks, and an ever-widening AppSec skills gap,” said Setu Kulkarni, vice president of corporate strategy at WhiteHat Security.
“However, we also find that organizations that successfully embed security into DevOps experience a 50% drop in their production vulnerabilities and that their time to fix improves by 25%.”