Today, we released the results of our newest threat research, compiled in the 2018 Application Security Statistics report, “The Evolution of the Secure Software Lifecycle.” This research revealed that serious vulnerabilities continue to increase across all major industries. Additionally, enterprises are still struggling with long windows of exposure to these vulnerabilities, and high times to fix, which has driven up security risk levels compared with last year’s report.
As in prior years, the 2018 Stats report tracked the following critical metrics that determine the overall state of application security:
- Window of Exposure: Saw a 33% increase from last year
- Remediation Rate: Remained same as last year
- Time to Fix: Saw a 2% increase from last year
Overall, these metrics indicate a worsening state of application security. The number of applications and application releases continue to increase at an unprecedented rate. The volume and complexity of attacks also continues to increase unabated. With an ever increasing skill and resource gap in application security the net result is that applications today create an exponential business risk.
Industries like finance, healthcare and retail showed some improvements from last year, but on a macro-level our stats report identified security trends that continue to pose challenges to both traditional applications and modern applications.
The top vulnerabilities for 2017 remained the same which means that hackers have it easy since they really don’t have to learn new tricks. Dangerous attacks are easy to accomplish with common vulnerabilities like cross-site scripting, information leakage, content spoofing and insufficient transport layer protection popping up frequently. Further, more than 60 percent of applications had at least one serious and exploitable vulnerability open throughout the year – meaning the doors to easy exploits were wide open.
WhiteHat Security also tracks modern application development trends – specifically, open source usage and microservice architectures. Our findings revealed that as more enterprises increase reliance on applications, they also failed to implement application security into the software development lifecycle. Research also confirmed that microservices create more insecurities on average than traditional applications.Nearly 70 percent of every application is comprised of reusable software components (e.g. third-party libraries, open source software (OSS), etc.), because this development method quickly and easily adds value to offerings. But, that also means that applications “inherit” vulnerabilities found in the software components too. However, when DevSecOps is done the right way, remediation rates and time to fix improved for microservices based applications.
The bottom line is that while development innovations have become table stakes, they also present challenges. Thanks to our strategic partners NowSecure and Coalfire, we were able to identify even more trends and insights into the state of application security than before.
These challenges present great opportunities to continue finding innovative ways to secure business applications. The picture is still mixed, but we are encouraged by signs of progress. For example, when organizations embed security into the DevOps process, they typically see a 50 percent drop in production vulnerabilities, and their time to fix improves by 25 percent. That is significant!
Why is Application Security So Important to the Modern Business?