Annual Research from WhiteHat Security Says Remediation Rates for App Vulnerabilities Continue to Fall

A phased approach to DevSecOps supports security and DevOps convergence, empowering teams to deliver better performing and more secure apps

SAN JOSE, Calif., Aug. 13, 2019 – Despite a significantly increased focus on application security testing, remediation rates for vulnerabilities continue to shrink, according to WhiteHat Security, an independent subsidiary of NTT Security and a leading application security provider committed to securing applications that run enterprise businesses. Today, the company released its 2019 Application Security Statistics Report, “The DevSecOps Approach: Using AppSec Statistics to Drive Better Outcomes,” which identifies the latest statistics and trends regarding the biggest application security threats to organizations.

As a result of WhiteHat’s deep AppSec expertise and robust vulnerability database coupled with NTT Security’s global threat intelligence, WhiteHat’s research now offers the most comprehensive perspective on the current state of application security, as well as recommendations on how to implement DevSecOps effectively.

Setu Kulkarni, WhiteHat’s VP of Strategy and Business Development, said, “It is more critical than ever that digital transformation initiatives must include a robust application security program. The 2019 STATS report builds on the DevSecOps framework we had outlined last year and advances it with supporting metrics, to help our customers build consensus for securing applications and reducing risks, costs and complexity. We find that organizations that take this approach experience markedly better AppSec outcomes – notably a 50% drop in Window of Exposure, an important metric that represents the amount of time that an application has a serious vulnerability that can be exploited to data breaches.”

Key findings of the report include:

  1. The effort required to secure the rapidly growing volume of existing and new applications is overwhelming already short-staffed teams.
  2. AppSec investment is unbalanced across development, security and operations.
  3. Organizations that scan applications in production have a reduced risk of being breached.
  4. Organizations that embed security in DevOps are able to reduce risk, reduce cost and improve time to market.
  5. Embeddable components in the software supply chain account for 1/3 of all AppSec vulnerabilities.

WhiteHat Security has been publishing this yearly report since 2006. The study comprises statistical data and analysis gathered from continuously updated security testing information in WhiteHat Sentinel, a cloud-based application security platform.

“WhiteHat’s research offers the most comprehensive perspective on the current state of application security,” said Craig Hinkley, CEO at WhiteHat. “Applications are under constant attack, and businesses continue to struggle against this tide. However, by embedding application security testing at each stage of the software lifecycle, organizations can make demonstrable improvements while reducing the time to delivery of secure applications. WhiteHat Security’s Application Security Platform provides the foundational DevSecOps capabilities, including DAST, SAST and SCA, that organizations require at each stage of their software lifecycle – enabling innovation and security to thrive simultaneously.”

To schedule a WhiteHat demo, or to read the full report, please click here.

About WhiteHat Security

WhiteHat Security has honed its 18 years of experience in the application security space to provide developers and businesses with the tools and services they need to write and deliver the most secure software at the speed of business. The award-winning WhiteHat Application Security Platform, which has been featured on the Gartner Magic Quadrant for Application Security Testing for the last five years, is empowering DevSecOps by continuously assessing the risk for organizations’ software assets and helping them to embed security throughout the software life cycle (SLC). The company is an independent, wholly-owned subsidiary of NTT Security and is based in San Jose, California, with regional offices across the U.S. and Europe. For more information on WhiteHat Security, please visit, and follow us on Twitter, LinkedIn and Facebook.