Organisations reduce rising ‘security debt’ via DevSecOps, special sprints

Veracode has published the findings of the State of Software Security (SOSS) Volume 10 report. The 10th installment of the industry’s most comprehensive research on application security data finds that more than half of all security findings (56%) are fixed, but a focus on fixing new findings while neglecting aging flaws leads to increasing security debt.

  • 5 years ago Posted in
After analysing more than 85,000 applications across more than 2,300 companies worldwide, the research found that fixing vulnerabilities has become just as much a part of the development process as improving functionality, suggesting developers are shifting their mindset to view the security of their code as equal to other value metrics.  

 

“Over the past 10 years, we’ve seen a vast improvement in the overall state of application security. We’ve gone from having to discuss why AppSec is important to having conversations about the best way to approach the problem. This change is reflected in the data that shows companies are fixing a higher percentage of flaws than ever before,” said Chris Wysopal, cofounder and Chief Technology Officer at Veracode. “However, the report also shows us there is plenty of room for improvement, specifically when it comes to the issue of mounting security debt. Like credit card debt, even carrying a small balance forward on a recurring basis can quickly leave you in the hole.”  

 

SOSS Volume 10 sheds light on best practices for organisations to make security habitual and lighten their security debt load, including frequent testing and a plan for tackling this debt. 

 

While much has changed since the first SoSS report was published nearly 10 years ago, the new report reveals that many of the flaws we saw in the past remain persistent today. Overall, 83% of applications have at least one flaw in the initial scan, and information leakage (64%), cryptographic issues (62%), and CRLF injection (61%) are the most common flaws. Interestingly, cryptographic issues and information leakage were also the top two most common flaws in SOSS Volume 1. Despite the continued prevalence of flaws, development teams are making strides in keeping up with these vulnerabilities - 70% are either reducing the number of flaws after first scan or not introducing any other flaws by the time of the final scan. The pass rate for OWASP Top 10 compliance on the initial scan this year also reversed a three-year decline by rising to 32%, demonstrating that secure development education is helping to reduce the introduction of flaws.  

 

Developers are in a race to fix faster than security debt accumulates 

 

The report reveals that the longer flaws stick around, the chances they will be corrected diminish, which adds to an organisation’s security debt. Security debt — defined as aging and accumulating flaws in software — is emerging as a significant pain point for organisations across industries. About half of applications are accruing debt over time, a quarter are driving it down, and another quarter are breaking even.  

 

“The overall prevalence of flaws rose 11% since we first reported it 10 years ago, but the proportion of those flaws assessed to be of high severity dropped 14% over the same period. The data shows developers are very likely to fix high severity flaws so there is solid evidence that development teams are getting better at figuring out which flaws are the most important to fix first,” said Chris Eng, Chief Research Officer at Veracode. 

 

Organisations must address the new security findings while chipping away at the old. The data indicated that how frequently an application is scanned has a direct impact on overall security debt. The top 1% of applications with the highest scan frequency carry about five times less security debt than the bottom third, suggesting frequent scanning does more than help find flaws; it helps companies significantly reduce risk.  

 

DevSecOps delivers a huge spike in fix rates  

 

The frequency and cadence of security testing are tied to changing habits to reduce security debt. Applications scanned less than once per month require a median time to remediate (MedianTTR) of 68 days, yet development teams scanning daily show an MTTR of just 19 days, contributing to lower security debt accumulation over time. Organisations can also reduce security debt by creating security checklists for developers for all new features and scanning codebases following each nightly build.  

 

“Development teams can’t ignore the findings nor choose to fix the new flaws rather than the old ones. Instead, they should make a plan to fix the new findings and use periodic ‘security sprints’ to fix unresolved flaws that could be exploited,” Eng said.  

 

The data reveals 30% of applications show an increased number of flaws in their latest scan, an indication that security debt is accruing. This doesn’t necessarily imply those development teams are doing a bad job managing flaws – it could represent a period of rapid growth and change – but it does highlight that organisations should think about how frequent AppSec testing within DevOps environments can make a positive impact on security debt. 

 

EMEA lags in time to fix flaws, but keeps security debt under control 

 

The report also shows regional differences in several key measures of software security testing. Companies in EMEA had the fewest high severity flaws (32%), followed by the Americas (37%) and Asia-Pacific (40%). The Americas and EMEA impressively fixed their flaws at the same rate (73 and 72% respectively), while APAC fixed just over half (55%). In the past, discrepancies between the Americas and EMEA regions were much larger. The similar fix rates in the region suggests organisations in EMEA are maturing their AppSec programs to rival those in the Americas. However, when it comes to median time to remediate, the results are very different. APAC comes in well ahead at 42 days, followed by the Americas at 56 days, while companies in EMEA trail at 147 days average time to remediate flaws. 

 

Looking at security debt per application, organisations in the Americas come out on top with the fewest at 156 flaws per app, while EMEA carries 210 flaws per app and APAC 732 flaws per app. While organisations in EMEA generally appear to take longer to fix flaws, they still manage to keep debt under control – likely tracing back to the lower starting point for flaw prevalence. This again indicates a dedicated focus to fixing flaws over time, rather than fixing as flaws are found. 

Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
73% of organizations lack automated patch management, and 62% experienced incidents involving...
Quest Software has signed a definitive agreement with Clearlake Capital Group, L.P. (together with...
Dell EMC PowerProtect Cyber Recovery for AWS provides a fast, easy-to-deploy public cloud vault to...
Aqua’s cloud native application protection platform becomes the only solution that protects cloud...
54% of organisations working on a security transformation project now or in the next 12 months.
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Zscaler Zero Trust exchange cloud-based architecture enables superior green security capabilities...