This is year 12 of the WhiteHat Security Application Security Statistics Report, and for the first time in its history (and maybe all history) we are providing some real metrics around DevSecOps. Does taking this approach really make a difference when it comes to improving application security? Turns out, the answer is yes.
In the section of our new report titled “Case Study: Making the Case for DevSecOps”, we’ve profiled a Fortune 500 company (and WhiteHat customer) that has seen dramatic improvements in the security of their applications as a result of applying a DevSecOps approach. This organization identified the key cultural and technological differences and motivators across its security and development teams, and eventually designed and implemented an application security program that bridged these differences, fostering collaboration and a shared commitment to application security.
Critical vulnerabilities in applications in development and in production were resolved in a fraction of the time that it takes organizations that haven’t engaged DevOps teams in the security effort. For more on this, read our stats report and join us for a webinar next week titled “DevSecOps Blueprint: A Case Study on How a Fortune 500 Implemented DevSecOps”.
Besides the case study, we’ve also added new sections on SAST, DAST and SAST in combination, and mobile security. Our thanks to partner NowSecure, who provided the data for our mobile section, which provides insights into the top security issues and vulnerabilities by mobile application category for the Android and iOS platforms.
What you’ll find as you read this report is that there are still too many vulnerabilities in applications and it’s still taking too long to fix them. Almost half of all applications remain vulnerable on every single day of the year. But two things give us great hope:
- The application security posture of the average organization did improve in 2016; only marginally, but hey – we’ll take any improvements we can find! In 2015, the average web application had four vulnerabilities, but in 2016 that number dropped to three. That’s an improvement of 25 percent, and overall a sign that many organizations are starting to mature their application security programs.
- As the case study in our report indicates, the DevSecOps phenomenon offers light at the end of the tunnel, and we’re starting to see real evidence of the value of security and development working together to protect the applications that we rely on every day both personally and professionally.
Applications are literally at the core of our digital lives, so it’s more important than ever to ensure that enterprises of all types can provide safe digital experiences. We hope this report provides valuable insights and recommendations on how to secure the apps that drive your business.