Report provides Dynamic, Static, and Mobile App Security statistics, and a real-world example of a successful DevSecOps approach
Santa Clara, Calif., July 11, 2017 – WhiteHat Security, the only application security provider that combines the best of technology and human intelligence to secure digital business, today announced the release of its 12th annual Application Security Statistics Report.
The WhiteHat Statistics report is unique in the industry because it uses real application security data collected in the twelve months of 2016 from 15,000 web applications, billions of lines of code, and more than 65,600 mobile apps. The report comprises analysis of dynamic testing (DAST) results, and — new to this year’s report — static testing (SAST) results and DAST/SAST applied in combination, along with mobile app security data provided by WhiteHat partner NowSecure.
The report also includes a case study titled “Making the Case for DevSecOps”, profiling a Fortune 500 company that has seen dramatic improvements in the security of their applications as a result of applying a DevSecOps approach to building their digital products and experiences. By implementing an application security program that fosters positive collaboration, critical DAST vulnerabilities have been cut in half, and time-to-fix for SAST vulnerabilities is a fraction of industry average, significantly reducing their attack surface and operational-risk to the business.
Top findings in the 2017 report include:
- Adoption of DevSecOps is imperative for application security to deliver competitive advantage. As the customer case study in the report illustrates, implementing an application security program that encourages positive collaboration between security and development can dramatically improve an organization’s security posture.
- The application security posture of the average organization has improved but only marginally. In 2015, the web applications analyzed had an average of four vulnerabilities. That number dropped to three in 2016.
- Almost half of all applications remain vulnerable on every single day of the year. Looking at the “Window of Exposure” across 13 different industries, WhiteHat found that most organizations are not able to resolve all of the serious vulnerabilities found in their applications. In the Utilities, Education, Accommodations, Retail, and Manufacturing sectors, approximately 60 percent of applications are “always vulnerable”.
- Use of both SAST and DAST testing in tandem is essential for application security program effectiveness. Many organizations are still not employing both testing techniques. Certain code vulnerabilities take a shorter amount of time to fix and are easier to remediate during development, when static testing (SAST) is best employed. Other errors show up only in dynamic testing (DAST) of applications once in production.
- Organizations must take a risk-based approach to remediating application security flaws. Remediation priorities need to be set based on the criticality of the software errors found, not on how easy the vulnerability is to fix. Software developers need more education by security teams to understand the risk levels of different vulnerability types.
- High risk vulnerabilities still suffer the highest time-to-fix (TTF). High risk vulnerabilities took an average of 196 days to fix, up from an average of 171 in 2015. On the contrary, the report shows that Critical vulnerabilities were fixed quickest in 2016, within an average of 129 days, down from 146 days in 2015. As this and other findings suggest, remediation is too often being prioritized by path of least resistance (i.e. the ‘easiest’ vulnerabilities are the first to be fixed), leaving the organization significantly exposed.
In the mobile application security data provided by WhiteHat partner NowSecure, the top security issues and vulnerabilities by mobile application category were identified for the Android and iOS platforms. News, Games and Lifestyle applications were the top three most vulnerable categories of apps on the Android platform in 2016, while Music, News and Finance were the top most vulnerable categories on the iOS platform. The popularity of both Android and iOS is prompting most companies to create apps for both platforms, doubling the work – and the security challenge – facing developers.
“This year’s report reinforces the potential of DevSecOps to transform the security of the applications that drive today’s businesses,” said Ryan O’Leary, Vice President, Service Delivery and Technical Support, WhiteHat Security. “As the case study indicates, a robust application security program that facilitates collaboration across security and development teams can reap amazing results. Considering that applications are literally at the core of our digital lives, it’s more important than ever to ensure that enterprises of all types can provide safe digital experiences.”
Talk with WhiteHat Security’s application security experts about this year’s Application Security Report in booth #840 at Black Hat USA 2017, taking place on July 26 and 27 in Las Vegas.
For more information
- Read the blog, “It’s here: The 2017 WhiteHat Security Application Security Statistics Report!”
- Learn more about the WhiteHat Security Service Delivery
About WhiteHat Security
WhiteHat Security has been in the business of securing applications for over 15 years. In that time, applications have evolved to become the driving force of the digital business, permeating every aspect of our lives. The WhiteHat Application Security Platform is a cloud service that allows organizations to bridge the gap between security and development to deliver secure applications at the speed of business. This innovative platform is one of the reasons why WhiteHat has won numerous awards and been recognized by Gartner as a Leader in application security testing four times in a row. The company is headquartered in Santa Clara, Calif., with regional offices across the U.S. and Europe. For more information on WhiteHat Security, please visit www.whitehatsec.com, and follow us on Twitter, LinkedIn and Facebook.