This is the 14th year that we are publishing our annual WhiteHat Security Application Security Statistics report. Over the years, this report has become the authoritative take on the state of application security globally. In 2017 and 2018, we started closely tracking DevOps trends and the inclusion of security in the software lifecycle. In 2019, we are now able to report that organizations that succeed in significantly improving the state of their applications’ security take a phased approach to implementing security within their DevOps processes.
Furthermore, this year, we are able to tie the metrics that we have been tracking to these phases. This year’s report titled: The DevSecOps Approach: Using AppSec Statistics to Drive Better Outcomes, provides a comprehensive take on what’s working and what’s not in the world of application security.
The report shows that organizations that have started down the road to embed security in development and operations in a phased manner – are able to improve all the AppSec KPIs that point to a significantly better AppSec posture overall. One of the key metrics, among others, we track is Window of Exposure. We find that these organizations achieve windows of exposure that are significantly shorter than the industry average. These organizations are better equipped to prioritize the dynamic testing of in-production applications to discover vulnerabilities that might be currently exploitable, and then taking a risk-based approach to mitigating or remediating them.
Consequently, these organizations are seeing much higher remediation rates, averaging 89.4% for critical risks, as opposed to the 50.7% mentioned above for U.S. organizations generally. Remediation for high risks is 87.3%, as opposed to 36.8% for U.S. organizations and 33.9% for European organizations.
Broadly, the good news is that organizations are more aware than ever of their application security risks, and we can see that in the 20% increase in the number of applications that organizations are testing. The bad news is that remediation rates have fallen, which is a huge concern. The remediation rate for critical risks, for example, is 50.7% in the United States and a surprising 40.7% in Europe.
There are a couple of factors that could explain the low numbers. First, since we know organizations are testing more apps, they may not be increasing their investment in fixing vulnerabilities, decreasing the remediation rates.
Second, we know there is a global shortage of application security professionals, meaning that organizations may have difficulties obtaining the skills and resources they need to keep up with remediation needs. Enterprise Strategy Group’s most recent annual survey, for example, shows 53% of organizations reporting a problematic shortage of cybersecurity skills, up from 42% just a few years ago.
Also hampering organizations’ ability to keep up with vulnerabilities: embeddable components in the software supply chain. We found that these components account for one-third of all application security vulnerabilities. In fact, we saw a 50% increase in unpatched library vulnerabilities this year. This is a dangerous trend, as more open source and third-party software is embedded in organizations’ own applications, and it underlines the need for software vendors that provide these components to raise their security standards.
While it is refreshing to see more applications being tested across organizations, the next logical step is to improve remediation for any vulnerabilities that are found in those tests. With these statistics in hand, it’s clear that organizations should make DevSecOps an integral part of their application strategy.
With WhiteHat Security, organizations are enabled to succeed with a phased metrics-driven approach to implement security within their DevOps processes. This is essential, since as the findings within this report indicate, organizations that have embedded security in development and operations in a phased manner are enabled to improve all the AppSec KPIs, improving AppSec posture overall.
Click here to read the full report and learn more.