More organizations have embraced best DevSecOps practices, according to a report published by WhiteHat Security, a subsidiary of NTT Security focused on application security. However, the report also notes that although more vulnerabilities are being discovered, thanks mainly to increased collaboration between developers and cybersecurity professionals, the rate at which vulnerabilities are being remediated has not improved significantly.
Based on scans of about 17 million application security scans conducted in 2018, the “2019 WhiteHat Application Security Statistics Report” finds that, compared to last year’s annual report, there has been a 20% increase in the applications that organizations are testing for vulnerabilities.
Setu Kulkami, vice president of strategy and business development for WhiteHat Security, said the latest application security report from WhiteHat shows that DevSecOps has moved beyond being a philosophy that organizations are encouraged to adopt to an actual best practice that is being implemented.
In fact, Kulkami said, a pivot point has been reached where cybersecurity professionals are now participating in DevOps processes by, for example, identifying specific vulnerabilities within applications as they are being developed.
That shift has resulted in significant reductions in the amount of time an application is exposed to a vulnerability among organizations that have embraced best DevSecOps processes, the report finds.
Those efforts, however, often result in more vulnerabilities being discovered, and the DevSecOps teams finding all those vulnerabilities don’t necessarily have the resources required to remediate them all, noted Kulkami.
That issue is even more acute in organizations that have adopted microservices, he added. Not only do there tend to be more vulnerabilities in microservices-based applications, but Kulkami also said it’s apparent that few organizations are aggressively revisiting microservices once they have been deployed in a production environment, even though theoretically it’s possible to more easily rip and replace flawed software within a microservice.
Overall, the WhiteHat report finds from a dynamic application security testing (DAST) perspective, Transport Layer Services (TLS) protection is the most common vulnerability discovered (33%), followed by information leakage at 12% and cross-site scripting at 10%. From a static application security testing (SAST) perspective, the single biggest issue is unpatched libraries (33%), followed by disabled application misconfiguration global error handling at 14% and cross-site scripting at 12%.
It may be a while before best DevSecOps are adopted pervasively across the enterprise. However, as responsibility for cybersecurity continues to shift left as part of the overall application quality assurance process, it is clear application security progress is being made. Arguably, the biggest challenge now is not so much mastering the available tools as much as it is defining a shared responsibility process across developers, cybersecurity professionals and IT operations teams. Developers and IT operations teams are, of course, still fine-tuning DevOps processes. Adding cybersecurity professionals, who often have limited programming expertise, takes that challenge to a whole new level. The good news is most organizations are starting to realize that when it comes to application security, there is no other alternative.