Veracode recently released its "State of Software Security Volume 6: Focus on Industry Verticals" report, which includes the results of the vulnerability assessments the company conducted on hundreds of thousands of applications. The report is a useful resource for helping organizations evaluate their application security and mitigate their risk of exposure to cyberthreats.
Since 2006, Veracode customers have identified over 23 million potential security flaws, and they've fixed about 60 percent of them. The report shows that the number of vulnerabilities customers fixed last year even hit 70 percent.
The financial services and manufacturing industries were the most proactive sectors, fixing the largest number of vulnerabilities thanks to an approach based on the continuous improvement of application security. While the number of cyberattacks is growing — along with their level of sophistication — companies that remain vigilant have still been able to resist attacks.
The issue is that the majority of organizations fail to properly address software security. According to Gartner, in 2014 enterprises spent $12 billion securing their network perimeters, but only $600 million on improving the security of their applications. The report highlights the fact that by properly addressing application security, enterprises can significantly reduce their exposure to cyberattacks via a metrics-driven, policy-based approach.
There are significant differences in how organizations in different industries address vulnerabilities in their applications. Veracode analysis provides numerous methodologies to measure software security and quality, including compliance with an accepted industry standard (OWASP Top 10), and average application flaw density. Veracode researchers have defined a compliance policy that advises an application must be free of all flaws listed in the OWASP Top 10.
Unfortunately, the report reveals that the OWASP Top 10 policy was only satisfied by a limited number of applications, mainly used by organizations in the financial services and manufacturing sectors.
The report analyzes remediation rates by industry vertical, comparing the number of fixed flaws with the number of vulnerabilities found. Organizations in the manufacturing and financial services sectors fixed the largest percentage of vulnerabilities. Government organizations fared less well — the report found they typically lack a proper security posture and fail to address remediation for the applications they use, fixing only 27 percent of vulnerabilities discovered in their software.
The most disconcerting finding for government organizations is that 76 percent of public sector applications are affected by one of the flaws in the OWASP Top 10.
Healthcare organizations performed poorly as well. Only 43 percent of known vulnerabilities were remediated, and 80 percent of healthcare organizations exhibited cryptographic issues upon initial assessment, according to the report.
Cryptographic issues were found to be "highly prevalent across all applications" and can be exploited by attackers to siphon data or hijack communication with an application. "Among other flaw categories, organizations in healthcare have the highest incidence of cryptographic issues — which is concerning given data confidentiality requirements for personal information imposed by HIPAA," the report states.
Another element highlighted in the report is the risk related to the use of applications developed by third-party software vendors and SaaS suppliers. According to Veracode, 72 percent of applications from third-party providers fail the OWASP Top 10 policy when assessed.
Organizations saw a 25 percent improvement in flaw density with the adoption of remediation coaching services, especially for organizations that lack in-house security expertise. Veracode provides these on-demand advisory services, called "readouts," which help developers implement secure coding best practices and efficiently remediate vulnerabilities. The report also highlights that the continuous assessment of applications over time allows organizations to improve software security by reducing flaw density.
The Veracode report is especially useful to enterprises seeking to understand security benchmarks for their industry, and how they can better focus their efforts to prevent dangerous vulnerabilities from harming their business. Download the report in its entirety here.
Photo Source: Flickr