A Look at Industry Benchmarks:
Gartner estimates that enterprises spent $12 billion securing their network perimeters in 2014 — 20 times more ($600 million) than they spent on securing the application layer.
At the same time, the threat surface available to cyberattackers is continuously expanding as enterprises increasingly rely on web, mobile and cloud applications to drive their businesses.
So it’s not surprising that web application attacks remain one of the most frequent patterns in confirmed breaches and account for up to 35% of breaches in some industries, according to the 2015 Verizon Data Breach Investigations Report (DBIR).
It’s easy to look at these data points and realize there’s a problem. However, we wanted to look deeper and see which industries are successfully reducing application-layer risk – at scale – and why.
The resulting benchmark report -- State of Software Security V6: Focus on Industry Verticals – is derived from analytics collected from Veracode’s cloud-based platform over the past 18 months. Unlike a survey, the information is derived from actual code-level analysis of billions of lines of code, representing more than 200,000 assessments performed by Veracode over the past 18 months.
What we found was both encouraging and concerning. In contrast to other sectors, financial services and manufacturing organizations proactively remediate the majority of their vulnerabilities (65% and 81% respectively). Based on our knowledge of these organizations, this is strongly correlated with a top-down emphasis on key metrics, consistent policies across disparate business units and development teams, and a culture of continuous improvement.
Other sectors aren’t doing as well. Government and healthcare organizations only remediate 27% and 43% of identified vulnerabilities, respectively. Moreover, government applications have the highest prevalence of SQL Injection vulnerabilities – commonly used to steal sensitive data from databases – upon initial risk assessment. Part of the reason for this is that many government agencies still use older programming languages such as ColdFusion which are known to produce more vulnerabilities.
It’s also concerning that 80% of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment.
Impact of Remediation Coaching Services (“Readout Calls”)
Lack of in-house expertise is often cited as a barrier to producing more secure code. The data shows that development organizations that leverage Veracode’s remediation coaching services (“readout calls”) improve the security of their code by a factor of two and half times compared those that choose to do it on their own. Delivered by our world-class security and development experts, Veracode’s on-demand advisory services help developers understand secure coding practices and remediate vulnerabilities more quickly and efficiently. Veracode’s State of Software Security V6 report is a must-read for both security and application development professionals who want to understand key metrics for reducing application-layer risk. We hope you’ll find it contains a wealth of practical data to help you benchmark your AppSec program against your peers on an industry-by-industry basis.
 “Application Security Crisis: A Way Out,” Joseph Feiman, Gartner Security & Risk Management Summit, 8-11 June 2015.