Application security continues to stink at many organizations, a new report from Veracode shows. But developers are not the only ones to blame.
A failure by organizations to provide adequate security training and by operational teams to address vulnerabilities in the production environment have a big impact on application safety as well, the company said.
Veracode's State of Software Security 2017 report is based on a code-level analysis of nearly 250 billion lines of code across 400,000 assessments conducted for 1,400 customers between April 2016 and March 2017.
The analysis showed more than 75% of the applications having one or more security vulnerabilities in code written by the development team, on initial scan. About 12% had either a very-high-severity or a high-severity flaw on first scan. A startling 88%, nearly nine out of 10, Java applications had at least one serious component-level flaw.
[See Veracode's vice president of research Chris Eng discuss Security, Application Development and DevOps at DarkReading's upcoming INsecurity Conference, Nov. 29-30 in the D.C. area.]
Veracode's 2017 analysis found applications riddled with the same vulnerabilities that it uncovered last year. Information leakage flaws were most common and were present in more than 65% of the applications in which a security bug was found on initial scan. About 62% had cryptographic flaws while 56% had what Veracode described as code quality issues.
The Top 10 list of most frequent vulnerabilities on initial scan this year was identical to the list of top flaws last year and suggested that organizations are continuing to grapple with the same issues as they have been for quite some time.
"This year’s study included confirmation of trends we’ve seen for a while," says Tim Jarrett, senior director of product marketing at Veracode. But there were also some surprises, he says.
The analysis, for instance showed accelerating adoption of scanning earlier in the software development lifecycle, he says. The number of organizations doing at least 12 scans per year ticked up slightly from 10.5% to 11.1%. Over 36% though continued to do just one scan per year.
There was also evidence that findings, which are prioritized by a policy, for instance higher severity findings, get fixed about twice as often as do findings not prioritized by policy, Jarrett says.
"We see evidence that scan frequencies are increasing, with a 3% to 4% increase in applications scanning at least daily," he says. "[Such] frequent scanning is a sign of both early-lifecycle scanning and automated scanning." But the majority of applications are still only being tested quarterly—or less frequently. "There’s plenty of room for improvement," he notes.
Developers, according to Veracode, are not the only ones to blame for the continuing struggles with applications that many organizations appear to be having.
"It’s time to put the lazy developer trope to bed," the company noted in its report. "It may be easy for cybersecurity pros to blame AppSec woes on indifferent, uncaring, or slothful coders." But the reality is very different, Veracode said.
Operational teams for instance have a part in undermining application security as well. When Veracode took a look at the overall hygiene of the production environments at the organizations in its survey the company found an "alarming number" of vulnerable servers running production applications.
When Veracode queried the public-facing web applications of the companies in its report, it discovered nearly 25% of the sites operating on web servers with one or more vulnerabilities with a CVSS rating of 6 or higher. Nearly 19% had web servers that were at least a decade old.
At many organizations developers also simply don't get the security training they require. Few managers consider a software developer's security skills as an important metric when evaluating performance, the application security vendor noted.
The Veracode report quoted a previous study the company had sponsored, in which 68 percent of developers and IT pros said their organizations did not provide adequate security training. Some 76% in that survey said they had not been required to take a single security course in college. Another study that Veracode conducted with analyst firm Enterprise Strategy Group showed a high-level of awareness about the importance of security knowledge among development teams. But only 18% said security was the most important metric for measuring developers’ performance, Veracode said.
- Why Your AppSec Program Is Doomed to Fail & How to Save It
- 98% of Companies Favor Integrating Security with DevOps
- Software Assurance: Thinking Back, Looking Forward
- 7 Steps to Transforming Yourself into a DevSecOps Rockstar