We recently surveyed 308 security professionals responsible for application security (AppSec) to find out the struggles they’re facing and the tactics they’re employing in securing their application layer. In analyzing the responses, we found that what the respondents are not doing regarding application security is often more revealing than what they are doing. The bottom line is that web application attacks remain the most frequent pattern in confirmed breaches (2016 Verizon Data Breach Investigations Report), so it’s important to get this right. Combining these survey responses with our recent State of Software Security report (based on data we collected from our Platform the past 18 months), we can put together a pretty clear picture of what good looks like in an AppSec program.
Among our survey respondents:
WAFs and pen testing are the most popular application security methods
The following were the most popular responses to the question: what methods are you currently using to ensure application security?
- Web application firewalls (WAFs): 68%
- Manual penetration testing: 43%
Tellingly, 40 percent of respondents also reported that an obstacle to effective application security is that “legacy application security processes add complexity and slow time-to-market.”
Manual penetration testing is an important part of an AppSec program, but isn’t sustainable or scalable enough to be the sole or primary method. Manual tests are expensive, involve hard-to-find skillsets and simply can’t scale to keep up with the pace of software development.
In addition, firewalls were designed to handle network-events, such as finding and blocking botnets and remote access exploits. Some can address application-level events — but not as well as application-layer solutions, and only with significant effort to configure and monitor them. Ultimately, they don’t fix application-layer vulnerabilities, but rather, simply mitigate them.
Effective application security requires a combination of testing methods that address vulnerabilities across your application landscape and throughout the development lifecycle. In addition, these methods should be automated and integrated into development processes, so that they easily scale and don’t slow development processes.
Only 30% inventory all open-source components used in development
In addition to the low number keeping an inventory of components, a high number of respondents report that “reducing the risk of attack while building, buying and integrating more software than ever” is, by a significant margin, their No. 1 application security concern.
With the extreme pressure on developers to get working code delivered quickly these days, it’s a common development practice to integrate pre-built open source software components into their own code. But this practice is causing headaches because, as we saw with Heartbleed and Shellshock, components introduce vulnerabilities that are almost impossible to track down.
Despite their risk, components are still best practice for any company attempting to rapidly produce and deploy new applications or updates. And in fact, discontinuing their use would put an organization at a serious disadvantage. Component use is not the problem; visibility is.
Unless developers carefully keep track of each open source component they use, companies do not have a list of components and versions. This lack of visibility makes it very challenging for security professionals to understand the risk associated with their applications and increases their risk of breach. But with technologies that keep track of which applications are using each component and what versions are being used, your organization has an easy way to update a component to the latest version if a vulnerability is discovered.
Only 33% remediate all vulnerabilities
It’s a best-practice to start with the most critical vulnerabilities, but also best practice to gradually expand your program to include your entire application landscape, and all vulnerability types.
For instance, we’ve seen organizations find success with a phased approach that addresses the most severe vulnerabilities in the first year – and then expands to include other classes of vulnerabilities after that. This approach is also ideal because it avoids developer pushback because you set the bar too high out of the gate.
What do successful AppSec programs look like?
Enough about what organizations are not doing! There are organizations out there moving the needle on application security and dramatically reducing their app-layer risk. How are they doing it? We recently analyzed the organizations among our client base with the highest vulnerability fix rates, and found that a set of best practices are consistent across them. These practices include:
- Developer coaching for remediation assistance
- eLearning subscriptions to improve developer skills
- Using more than one assessment technique
- Leveraging Developer Sandbox testing for more frequent unofficial scans
- Tracking progress against benchmarks
What is your application security approach? Get the details on what others are doing in the report detailing our recent survey results: Trends and Tactics: How IT Professionals Are Approaching AppSec Today.