How Proficient are Your Developers at Fixing Application Security Flaws?

How would you rate your software development team at fixing application security flaws?  Veracode’s State of Software Security, Volume 9 includes benchmarks you can use to gauge performance — and it also offers insights that can help your team more effectively address application security.

The study is based on data from more than 700,000 applications submitted for security testing on the Veracode platform between April 1, 2017 and March 31, 2018. With help from data scientists at Cyentia Institute, Veracode was able to use that information to gain understanding into application security flaws and how they are typically addressed.

Fixing Application Security Flaws Takes Time

The Veracode study found more than 70 percent of all security flaws are still present after 1 month; 55 percent are still present after 3 months; and about one-fourth are still open for more than a year. In addition, about 25 percent of high severity and very high severity flaws — lines of code with very serious weaknesses that make them easy targets for attacks — aren’t addressed within 290 days.

Chris Eng, VP of Research at Veracode, says in the study’s introduction, “In many ways, our deeper look into the data confirmed what many industry veterans recognize intuitively: it takes time to fix security flaws.” He explains that in addition to the work to correct the flaw, there are other factors that contribute to the time it takes, including QA, prioritizing some fixes over others, and product release cycles.

The report points out, however, that the time it takes developers to fix flaws isn’t just a performance benchmark — it is also a measure of application risk. Consequently, developers need to find ways to address security flaws as quickly as possible.

Application Security Flaw Correction Rate, by Industry

Veracode also broke down the results of its study by industry, finding that healthcare organizations remediate security flaws most quickly, followed by retail and technology businesses. Infrastructure, manufacturing, and financial institutions, on the other hand, are least effective at fully addressing security flaws.

The report points out that different industries may be dealing with different challenges. The most prevalent security vulnerabilities by industry are:

• Healthcare: information leakage, 63.8 percent; cryptographic issues, 62.1 percent
• Retail: information leakage, 66.1 percent; code quality, 65 percent
• Technology: cryptographic issues, 70.1 percent; information leakage, 67.8 percent
• Infrastructure: code quality, 63.1 percent, information leakage, 60.8 percent
• Manufacturing: information leakage, 61.7 percent; code quality, 61.6 percent
• Financial: information leakage, 67.3 percent; and code quality and CRLF injection, both approximately 62 percent
• Government and Education: code quality, 59.1 percent; cross-site scripting (XSS), 58.8 percent.

Development Methodology Makes a Difference

The Veracode study also found that DevSecOps programs, which make security design and testing a part of their DevOps continuous software delivery processes, fix flaws 11.5 times faster than other developers.

One reason may be that DevSecOps organizations put applications through security scans much more frequently than waterfall development organizations, fixing flaws as they are discovered, rather than putting security tests at the end of the development cycle.

Additional Findings in Veracode’s Study

• More than 85 percent of all applications have at least one vulnerability; at least 13 percent have at least one flaw of critical severity.
• Since last year’s study, there was no decrease in common vulnerabilities:
  • SQL injection flaws are still present in about one-third of applications
  • XSS vulnerabilities are still present in about 50 percent of applications.
• Vulnerable components are present in the majority of apps:
  • Java, 87.5 percent
  • C++, 92 percent
  • .NET, 85.7 percent
• Close rates improved by 12 percent; developers closed nearly 70 percent of the vulnerabilities they found this year.

Key Takeaways

Veracode lists for key lessons from the study:

1. The speed at which developers fix flaws is directly related to the risk the software creates over time.
2. With the volume of flaws that some developers face, it’s important to prioritize and address them by their severity.
3. Using DevSecOps development methodology makes it possible to address flaws more quickly.
4. Developers need to carefully evaluate their use of vulnerable, open-source components.

To download the full study, visit https://www.veracode.com/state-of-software-security-report.