DevOps and digital transformation are creating more insecure apps
For enterprises looking to build new applications as the cornerstone of their digital transformation initiatives, techniques like DevOps are undeniably attractive.
But while they speed up development they also mean that nearly 70 percent of every application is made up of reusable components like third-party libraries, open source software. This means that applications can easily inherit the vulnerabilities in those components.
A new report from application security provider WhiteHat Security finds the four most likely vulnerabilities in apps are information leakage (45 percent, up eight percent over last year's report), content spoofing (40 percent), cross site scripting (38 percent) and insufficient transport layer protection (23 percent).
But while the number of vulnerabilities has gone up, remediation rates are down. Remediation rates for SQL infections, for example, have fallen by 10 percent. Time to fix has gone up too, standing at an average 139 days for critical vulnerabilities.
"Businesses are transitioning from traditional applications and legacy systems, to web and mobile applications that are purpose-built to serve up superior customer experiences," says Craig Hinkley, CEO of WhiteHat Security. "However, the downside of changing the software lifecycle to speed up the process is the inherent introduction of risk. Therefore, any organization that fails to build security into its app development process is willfully being left exposed to those ever-present threats."
To guard against problems, developers need to incorporate software composition analysis (SCA) into the development process to capture these vulnerabilities early and prevent them from being introduced.
"When we see a year-over-year decline in overall remediation rates, that means AppSec and DevOps teams are too focused on fixing easy-to-patch medium- and lower-severity findings after the fact," adds Hinkley. "To truly protect the enterprise, the focus must be on addressing severe vulnerabilities as soon as possible, or better yet -- have security written into the design of business applications at the code level."
You can read more about the findings on the WhiteHat Security blog.