In a recent podcast with IDG, Chris Wysopal, Veracode Chief Technology Officer, speaks to the evolution of application security (AppSec) over the past ten years. In his evaluation, Wysopal leverages findings from Veracode’s annual State of Software Security (SOSS) reports. The first volume of the SOSS report, published in March of 2010, focuses on explaining and advocating for an application security (AppSec) program. By the tenth volume – the most recent addition – the focus shifts to building out an AppSec program.
The gradual transition from AppSec awareness to AppSec program planning, indicates a clear understanding of the importance of securing applications. In fact, there has been a 50 percent increase in the number of applications scanned for vulnerabilities. But despite the significant increase in scanned applications, vulnerabilities are growing. The only vulnerabilities that have seen a decline, are those considered to be “high-severity.” This finding points to a new trend … more applications are being scanned, but critical flaws are being prioritized when it comes to remediation.
There are two ways of looking at this trend. On the one hand, if an organization is new to AppSec, it is practical and advisable to fix high-severity flaws first. On the other hand, AppSec has been around for quite some time, so organizations need to work on maturing their AppSec programs. A mature, best-practice AppSec program does not favor certain applications or flaws, it scans all applications and remediates all flaws.
Making security a standard way of building software aligns with DevSecOps, in which security is organically woven into development and operations. Moving to DevSecOps requires organizations to break down silos and establish a working relationship between development and security teams. Once relationships are formed and security and development teams start to understand each other’s roles, a “security champions” program can be implemented. Security champions are developers who agree to learn more about security and advocate for it in the build process.
Better yet, Wysopal proposes that colleges and universities start incorporating security into computer engineering curriculums. By instilling the need for application security into the minds of future developers, DevSecOps will become commonplace.
To learn more about AppSec’s progression, or to hear Chris Wysopal’s view on the future state of AppSec, download to our podcast, AppSec Grows Up: A Hard Look at Software Security.