Speed to market and competition are a part of every ISV’s business. But in the race to deploy the next big thing, are you keeping up with application security?
Mark Curphey, VP of Strategy at Veracode, told DevPro Journal that Veracode’s State of Software Security Volume 9 confirmed what ISVs know intuitively: It takes time to fix security flaws. The report shows that 75 percent of flaws are still present after 21 days, and 25 percent of flaws persist after 472 days.
“In scanning more than 2 trillion lines of code, we found that software is still rife with vulnerable components, and more than 85 percent of applications have at least one vulnerability,” says Curphey. “However, we did see promising signs of progress as well. Close rates improved by 12 percent – customers closed nearly 70 percent of vulnerabilities they found.”
He adds that the analysis for the report also shows a very strong correlation between high rates of security scanning and lower long-term application risks, which, says Curphey, “we believe presents a significant piece of evidence for the efficacy of DevSecOps.”
As the name implies, with DevSecOps security is built into the development process. DevSec Ops teams don’t design a system and then pass it to security staff to correct flaws before release. A devsecops.org blog explains that security staff unfortunately doesn’t usually have all of the information it needs to make completely informed security decisions, and this approach is rarely 100 percent effective.
Transitioning to DevSecOps requires changing your business’ culture — probably more than your processes — because it will take cooperation and collaboration from all members of your team. But the benefits DevSecOps will provide you and your clients can be significant. Veracode has found that it gives ISVs clear advantages when it comes to application security. In fact, the research shows that the most active DevSecOps programs fix flaws more than 11.5 times faster than other developers.
The Application Security Outlook for 2019
Looking ahead to the new year, Curphey says to look for two significant changes related to application security:
“In 2019, DevOps-centric organizations will conduct a greater shift to processes that automatically test every code change,” says Curphey. “This will allow development teams to solve the problems of slow development cycles by finding and fixing flaws early in the software development lifecycle, which saves significant time for both developers and security personnel.”
“Agile development is going to give way to continuous delivery in 2019,” Curphey predicts. “Organizations are going to need faster development processes than Agile can provide and continuous delivery provides the speed they need while also building in processes to test and fix security bugs in real time.”
Key takeaways from the Veracode report include the correlation between your speed and agility in fixing application security flaws and the risk your software represents over time. The faster you can eliminate vulnerabilities, the safer your users’ data and businesses will be. Make 2019 the year that you find efficient and effective ways to build security into development operations.
About the State of Software Security Report
CA Veracode’s ninth iteration of the State of Software Security (SOSS) report is a comprehensive review of application security testing data from scans of more than 2 trillion lines of code conducted by CA Veracode’s base of 2,000 customers representing the industry’s most comprehensive set of application security benchmarks. The report investigated variables such as flaw type, severity, app criticality, rate of scanning impact on fix velocity, and persistence of flaws after discovery. For this iteration, CA Veracode collaborated with data scientists at Cyentia Institute to better visualize and understand vulnerability fix behavior.